Misconfigured Cloud Applications Are Putting Your Data At Risk

Uploaded on 2022-12-13 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

As more and more organisations continue to move their systems and applications to the cloud in 2023, cybercriminals everywhere hear the sound of opportunity knocking. They know that as they hunt for vulnerable systems, this increases their chances of coming across a cloud application that has been left exposed inadvertently due to misconfiguration.

The result: an open door to valuable company data including client and employee personal information, financial data, supplier agreements, et cetera. 

With cloud misconfiguration still being considered one of the biggest threats to cloud security, if not the biggest, organisations need to revisit their cloud adoption strategies and ensure their sensitive information is properly protected by prioritising cloud security.

Time To Ditch The Default

So, how do these misconfigurations occur in the first place?

There are all kinds of reasons. Some of these cloud applications are being rolled out to serve the needs of a specific department or team. Therefore, the priority is more on the business issue it is trying to resolve than the need to integrate and interact with internal systems and endpoints securely. So, to speed up the adoption and solve the issue for that department or team, the application is rolled-out with default settings which may seem sufficient at that time.

However, default settings tend to be too open and could be easily exploited by attackers. For instance, leaving a system account with a default password.

Another issue is the inconsistent approach to configuring cloud applications. Changes are made on an ad-hoc basis and not necessarily replicated across all applications and systems. This makes it more complicated when trying to fix configuration issues, and can expose data stored in these systems to breaches.

The lesson here? IT should be brought in early, even before any new cloud application is selected, to ensure the application is tested and meets the requirements of the configuration checklist defined by the organisation. A centralised approach is also necessary to ensure changes to configurations are carried out consistently across all cloud systems and properly documented.

Cloud Security Is A Shared Responsibility

The tendency to opt for default settings is closely intertwined with another important factor that can cause security gaps in cloud services: a lack of awareness that security is a responsibility shared by many parties - including the customer themselves. 

When it comes to cloud applications, there’s no such thing as “security that is 100% handled by the vendor.”

The service provider that provides the infrastructure - think here of Amazon Web Services (AWS), Microsoft Azure, or Google Cloud - is responsible for delivering a certain foundational level of security. On top of that service provider, the cloud vendor who delivers the specific application that the organisation is using, is responsible for another layer of security. But the final piece of the security puzzle is the customer.

Assuming that “it’s in the cloud, it must be protected”, it’s the wrong assumption. In fact, the customer needs to play a big part by determining which users get to access which data, what level of privileges should they have, and so on – the vendor can’t handle that aspect.

That’s why it’s critical for organisations to understand the Shared Responsibility Model, and for all key internal and external stakeholders to be clear about their roles and responsibilities.

Avoid The Gaps

Cloud adoption will only continue to gain momentum in the year ahead, which is all the more reason to ensure that cyber criminals aren’t provided with any low hanging fruit due to misconfigured cloud systems. Unfortunately, it is a matter of “when” and not “if” an organisation will be targeted by cyber criminals. So, preparation is key.

Auditing cloud applications and their configurations, as well as confirming that all parties are clear about their shared responsibilities can make a world of difference in ensuring that organisations are able to keep their sensitive data safe and out of the hands of bad actors.

Manuel Sanchez is an Information Security & Compliance Specialist at iManage

You Might Also Read: 

DMS Alerts Should Be Key To Organisations’ Security Orchestration:

 

« US Defense Contractors Don't Meet Basic Cyber Security Standards
Remote Work: Three Top Trends In 2023 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

mile2

mile2

Mile2 develop and deliver proprietary vendor neutral professional certifications for the cyber security industry.

iXsystems

iXsystems

iXsystems is a leader in Open-Source enterprise server and storage solutions including Backup & Recovery to protect critical data.

Libraesva

Libraesva

Libraesva specialize in Email Security. From Email Security, Phishing Awareness and Email Archiver. We can assist you with any email issues you may have.

Mega

Mega

Mega is a secure cloud data storage provider with browser-based high-performance end-to-end encryption.

EIT Digital

EIT Digital

EIT Digital is a leading digital innovation and entrepreneurial education organisation driving Europe’s digital transformation. Areas of focus include digital infrastructure and cyber security.

AEI Cybersecurity

AEI Cybersecurity

AEI brings together companies, Research Centres, Universities, and other organizations interested in promoting new cybersecurity technologies.

Compass Security

Compass Security

Compass Security is a specialist IT Security consultancy firm based in Switzerland. Services include pentesting, security assessments, digital forensics and security training.

Post-Quantum

Post-Quantum

Post-Quantum offer a unique, patented quantum-resistant encryption algorithm that can be applied to existing products and networks.

ReversingLabs

ReversingLabs

ReversingLabs develops cyber threat detection and mitigation tools that address the the latest directed attacks, advanced persistent threats and polymorphic malware.

Lynx Technology Partners

Lynx Technology Partners

Lynx Technology Partners is a full service, full life-cycle risk-based security consulting firm.

Cyber Security Austria (CSA)

Cyber Security Austria (CSA)

Cyber Security Austria (CSA) is an independent non-profit association with the aim to address security issues in the area of IT/cyber security of critical/strategic infrastructures in Austria.

redGuardian

redGuardian

redGuardian is a DDoS mitigation solution available both as a BGP-based service and as an on-premise platform.

MythX

MythX

MythX is the premier security analysis service for Ethereum smart contracts.

Cyber Ireland

Cyber Ireland

Cyber Ireland brings together Industry, Academia and Government to represent the needs of the Cyber Security Ecosystem in Ireland.

Outseer

Outseer

Outseer is a leading technology company in the fight against payments fraud. Outseer reliably determines authentic customers from fraudulent behavior.

ArmorX AI

ArmorX AI

ArmorX AI (formerly Kapalya) operates an encryption management platform designed to encrypt all data in transit and at rest on mobile end-points, corporate servers, and cloud servers.