Cloud misconfiguration

A blog post by: Bhavin Barot, principal, Cyber & Strategic Risk, Deloitte Risk & Financial Advisor; Ritesh Bagayat, senior manager, Cyber & Strategic Risk, Deloitte Risk & Financial Advisory; Diana Kearns-Manolatos, senior manager, Deloitte Center for Integrated Research; Amod Bavare, principal, global Cloud Migration leader, Deloitte Consulting LLP; and Jay Parekh, senior analyst, Deloitte Center for Integrated Research. 

Many organizations globally are migrating from legacy on-premises infrastructure to the cloud with the objective of increasing business agility and resilience, but some have failed to realize the benefits that modernization provides: an opportunity to also improve their cybersecurity posture. Migrating to the cloud has the potential to reduce existing on-premises infrastructure security risks through built-in encryption, logging, private networking, monitoring, DDoS protection, automated patches, and other elements, as well as enable application security. Conversely, there are a number of technical risks to consider on the cloud migration journey; misconfiguration risk is a top security concern. An integrated cloud cyber strategy can enable organizations to use security by design in their transformation to embed security into their operating model and architectural decisions in a way that balances resilience and risk to achieve greater consumer trust through more secure experiences.

Cloud misconfiguration risk

Misconfigurations are common IT mistakes when setting up cloud architecture that could create an entry point for malicious actors to access networks and data. A recent survey indicated that more than 90% of security professionals are concerned that human error could result in the accidental exposure of their cloud data.¹ 

Another study of hundreds of cloud-native infrastructure deployments showed that 93% of cloud deployments had some misconfigured cloud storage services,² which could leave firms open to risk. According to an industry report, which reviewed publicly reported data breaches from 2018 to 2019 and identified 196 that could be attributed to cloud misconfigurations, these breaches resulted in more than 33 billion records being exposed and potentially cost companies nearly $5 trillion.³ The study identified some of the most commonly misconfigured cloud storage services associated with these data breaches, including search-related configurations (~20%), container-related configurations (~16%), and database-related configurations (~12%).⁴

Cloud misconfiguration risk is prevalent across applications, as well. One analysis found that, in 2018, almost 30% of all vulnerabilities found in cloud applications tested by the cloud security vendor were misconfiguration errors. Misconfigured cloud containers have been shown to be a vulnerability for mobile applications, with approximately 14% of mobile applications having unsecure configurations that could potentially expose personally identifiable information and enable fraud.⁵

Despite the prevalence of cloud misconfiguration and the associated risks, 99% of infrastructure-as-a-service (IaaS) misconfigurations go unnoticed. In one industry assessment, companies stated that they experienced only 37 misconfiguration incidents where in actuality, they had an average of 3,500 misconfiguration incidents per month. The report found that only 26% of companies can currently audit for IaaS misconfigurations with their security tools. And once cloud infrastructure misconfigurations were identified, nearly a quarter of respondents said it took more than a day to correct them.⁶

Four common cloud misconfiguration challenges

To remediate this threat, organizations should understand common cloud misconfiguration risks across their infrastructure and applications and take a security-by-design approach to remediating them.

• Storage: Storage misconfigurations can lead to poor technology and resource utilization, which not only leads to an unwarranted increase in operational costs, but also has security implications, given unallocated resources leave themselves open and vulnerable to attacks in an environment where many cloud deployments have misconfigured resource utilization.
• Databases: There is a misconception that moving from a relational database to cloud-native is straightforward; however, many fail to realize that cloud-native databases are not built for traditional relational security layers and require access management not at the user level, but at an application level. A simple shift to cloud database platforms can create security holes that otherwise would have been addressed with endpoint security.
• Search: With a generic ID, users can initiate data searches and access data. Misconfigured search functions that allow for broad access through generic IDs introduce security loopholes that may allow developers easy access to unnecessary or even sensitive data.
• Containers: Cloud applications, too, can introduce a range of misconfiguration risk challenges. One common one is misconfigured containers. While containers are designed to virtualize applications, misconfiguration risk can be introduced based on whether resources are read-only or can be written to and if roles-based access controls are enabled or not.⁷

A solution for cloud misconfiguration challenges

In the case of a configuration, rather than assigning generic IDs that give broad access to cloud search capabilities, organizations can address security loopholes through Zero Trust thinking and restricted user access that configures storage, database, and search access through process (e.g., credentials) or with restrictions in the infrastructure itself (e.g., containers). In the case of applications, which may heavily rely on containers, check that applications are read-only and cannot be written to and that roles-based access controls are enabled.

Across databases, search, and other infrastructure components, organizations can address this challenge by implementing proactive monitoring solutions that check the cloud network for open ports and help to orchestrate across multicloud environments. Many organizations are using cloud access security brokers (CASBs) to monitor activity across cloud services and applications for accidental configuration risks, as well as intentional policy deviations.

Finally, the complexities of misconfigured architecture can be amplified further in a multicloud and distributed services environment, especially in organizations with prevalent shadow IT culture, which makes it easier for configuration errors to go undetected, waiting for a large blast radius.⁸ A way to prevent shadow IT processes, which have the potential to amplify cloud misconfiguration challenges, is by having a strong governance processes and controls framework in place. Implementation of compliance monitoring tools and an appropriate cloud controls framework can help mitigate these misconfiguration risks.

Next steps for cloud security leaders

In conclusion, cloud migration provides an opportunity to rethink security models and capabilities. However, improperly configured clouds can lead to more vulnerabilities than before. By adopting a security-by-design approach combined with timely technology risk assessments, organizations can better understand specific technology and configuration risks and implement recommended remediations.⁹

For more on this topic, check out our recent Deloitte Insights research, “An integrated cyber approach to your cloud migration strategy.”

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Product names mentioned in this document are the trademarks or registered trademarks of their respective owners and are mentioned for identification purposes only. Inclusion does not constitute an endorsement of the product and/or service.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2021 Deloitte Development LLC. All rights reserved.