Top 10 Cloud security tips

About half of the pen tests we’re asked to do involved cloud services at some point. We’ve even tested a cloud platform on an aeroplane – the irony was not lost on us!

There is a multitude of ways to improve the security of your cloud platforms and often those ways are ever-changing or obscured with contradictory documentation. We’ve discovered a reoccurring pattern with cloud platforms, which we regularly see in live environments. Here are the top 10 most common security issues we find (not in any specific order).

1) Default Configurations: The out-of-the-box settings are often overly permissive and contradict best practices. It seems that vendors expect users and organisations to review and tweak each setting. I covered this topic on Azure, which can be read here.

2) Overprivileged Accounts and Groups: The principle of least privilege should also be adhered to when possible as this principle massively reduces the potential impact of compromised users or insider threats. For example, well-named groups should be created and specific permissions should be assigned to each group to ensure that permissions are not being misassigned or going unnoticed. No more use of the * wildcard!

3) Weak Credentials: An age-old issue that affects every area of IT and cybersecurity. This covers passwords for user accounts, local passwords, application (web app, API, database) passwords and secrets. The highly accessible and available nature of cloud environments makes it easier for attackers to brute force and password spraying attacks.

4) Outdated/Unsupported Software: Another classic. Outdated first and third-party software being used or hosted within the cloud. A few examples are Windows systems with missing security patches, unsupported OSes such as Windows XP, and outdated web libraries used in APIs, web apps and serverless functions.

5) Unencrypted Resources: The lack of data-in-rest and data-in-transit encryption is an integral part of IT security and compliance, especially in public cloud environments where your company data is stored on systems outside of your control and potentially country. Data has to travel further than usual, which increases the number of network devices it passes through, which also increases the likelihood of eavesdropping.

6) Lack of Monitoring and Alerting: Cloud platforms remove the safety blanket of hard-to-access domains and networks. Your entire platform is hosted and accessed remotely, meaning that an attacker doesn’t need to socially engineer their way into your building or phish your users, or compromise VPN/remote desktop solutions. This amplifies the need for monitoring and alerting as attacking your environment is a lot easier now.

7) Unsecured Networking: This is a wide-ranging issue that spans from a lack of network segregation to poor firewall configurations. All networks should be properly planned and protected with firewall rules, network security groups and access control lists to limit the flow of inbound and outbound traffic. Externally accessible systems should also be configured to only allow access to necessary services. It should also be noted that some solutions are stateful and stateless, which affects your network security rules.

8) Insufficient Storage Access Controls: Publicly accessible and writeable storage services are one of the top reasons for most cloud-related data breaches as they are easily identifiable and typically contain sensitive information.

9) Vulnerable APIs and Serverless Functions: Hosting applications within the cloud brings new but familiar risks such as Server-Side Request Forgery (SSRF) as vulnerable apps can be leveraged to gain a foothold in your cloud platform by creating or exposing valid credentials. Hosting applications in the cloud and behind a WAF will not mitigate any security risks.

10) Lack of User Training: Technology is not a substitute for user security and awareness training as attackers always find ways around technical safeguards. Multi-factor authentication is a great safeguard but the lack of user awareness often leads to users handing out one-time passwords or accepting push notifications.

Get these addressed before they’re found in a pen test, or during a breach

There’s more advice on basic cloud security here: https://www.pentestpartners.com/penetration-testing-services/cloud-services-security/