cloud infrastructure security trends€¦ · in public cloud computing environments such as amazon...
TRANSCRIPT
Cloud Infrastructure Security Trends+ 14 Tips to Fortify Your Public Cloud Environment
Published by the RedLock CSI TeamMay 2017 Edition
Introduction
Key Takeaways
01 Sensitive Data Left Exposed
02 Weak Network Controls Invite Trouble
03 Poor Governance Creates Risk
04 Developers Unknowingly Jeopardize Security
05 Achieving Compliance Just Got Harder
Ready to Take Action?
1
3
4
5
6
7
8
9
© 2017 RedLock Inc. All rights reserved.
Table of Contents
If you are a fan of Ocean’s Eleven, you will remember the brilliance with
which George Clooney and his ten accomplices executed the most sophisti-
cated casino heist in history. Initially, they carried out reconnaissance to learn
about the Bellagio building, the security systems, and the routines of the
casino staff. Based on their learnings, the team put together a calculated and
well-rehearsed plan based on which they infiltrated the casino and walked
away with the money.
Cyberattacks are the modern day heists where the goal is to exfiltrate
sensitive corporate data. They tend to be fairly sophisticated and involve
reconnaissance, planning, infiltration, and exfiltration. Over the last few de-
cades, organizations have established fairly comprehensive security
architectures to combat these attacks. However, the move to public cloud
computing is changing the rules of the game - sensitive corporate data is
now stored on servers managed by cloud service providers such as Amazon,
Microsoft, and Google. While the providers secure the physical infrastructure
and provide capabilities for organizations to securely migrate resources to
the cloud, organizations are still responsible for securing their content,
applications, systems, networks, and users that leverage the infrastructure.
© 2017 RedLock Inc. All rights reserved.
INTRODUCTION
1
INTRODUCTION
4.8M
$758M
SENSITIVE RECORDS DISCOVERED
IN BREACH COSTS AVOIDED
© 2017 RedLock Inc. All rights reserved.
Cloud Infrastructure Security is Challenging
Securing public cloud infrastructure is not as simple as retrofitting
on-premise security solutions to protect dynamic cloud environments.
The high velocity of change in cloud computing environments makes security
very challenging. To put things in perspective, our research indicates that
the average lifespan of a cloud resource is 127 minutes. The problem is
further amplified in large cloud computing environments with thousands of
resources.
The end result is weak security and compliance postures across public cloud
computing environments. We commissioned the RedLock Cloud Security
Intelligence (CSI) team to produce this report to illustrate the severity of
the issue and educate organizations on cloud infrastructure security best
practices.
RedLock CSI Team and Methodology
The RedLock CSI team consists of elite security analysts, data scientists,
and data engineers with deep security expertise from companies such as
Microsoft, Credit Suisse, and Honeywell. The team’s mission is to enable
organizations to confidently adopt public cloud infrastructure by researching
cloud threats, advising organizations on cloud security best practices, and
frequently publishing out-of-the-box policies in the RedLock Cloud 360™
platform.
So far in 2017, the CSI team has discovered 4.8 million exposed records
that contain sensitive data belonging to dozens of organizations ranging from
small businesses to Fortune 50 companies. The team notified the affected
organizations and has helped them avoid over $758 million in breach costs
this year. The CSI team also publishes security advisories to raise awareness
about the issues.
The data in this report is based on the RedLock CSI team’s analysis across
our customers’ environments which comprises of over one million
resources that are processing 12 petabytes of network traffic. In addition,
the team also actively probed the internet for vulnerabilities in public cloud
infrastructure.
2
Sensitive Data Left Exposed
Sensitive data such as PII and PHI is left exposed because basic data
security best practices such as encryption and access control are not
being enforced in public cloud computing environments.
Weak Network Controls Invite Trouble
Network security is being overlooked by allowing unfettered access
to public cloud computing environments.
Poor Governance Creates Risk
Lack of controls for user access to public cloud infrastructure is
leading to poor security hygiene amongst users.
Developers Unknowingly Jeopardize Security
Developers are inadvertently introducing risks to public cloud
computing environments due to lack security expertise, especially
when it comes to new technologies.
Achieving Compliance Just Got Harder
Continuous compliance is hard to achieve in a constantly changing
public cloud computing environment.
KEY TAKEAWAYS
© 2017 RedLock Inc. All rights reserved.
01
02
03
04
05
3
The Bellagio vault was so well secured that the Ocean’s Eleven team had to
create a replica to practice maneuvering it. In the world of technology,
databases and storage resources merit the same level of security as they often
contain an organization’s crown jewels - sensitive data. In fact, industry best
practices for securing these resources have been well established. The RedLock
CSI team assessed database and storage resources in public cloud environ-
ments for compliance with these best practices.
Key Findings
As a best practice, databases containing sensitive data should always be
encrypted. Failure to do so may result in violations to compliance mandates
such as PCI and HIPAA. Shockingly, the team determined that 82% of databases
in public cloud computing environments such as Amazon Relational Database
Service and Amazon RedShift are not encrypted.
To make matters worse, 31% of those databases were accepting inbound
connection requests from the internet, which is a very poor security practice.
Most notably, MongoDB instances saw significant inbound traffic with port
27017 being amongst the top five ports for inbound internet connections.
On a similar note, RedLock CSI researchers also discovered that 40% of
organizations using cloud storage services such as Amazon Simple Storage
Service (Amazon S3) had inadvertently exposed one or more such services to
the public. In March 2017, at least 20,000 customer records containing sensitive
data were exposed at Scottrade due to such a misconfiguration.
Tips
• Automatically discover database and storage resources as they are created
in a public cloud computing environments.
• Implement continuous configuration monitoring to ensure that encryption
is enabled for these resources, and public access is disabled.
• Monitor network traffic to ensure these resources are not communicating
directly with services on the internet.
82%
31%
40%
DATABASES ARE NOT ENCRYPTED
DATABASES ARE ACCEPTING INBOUND CONNECTIONS
FROM THE INTERNET
ORGANIZATIONS PUBLICLY EXPOSED AT LEAST ONE
CLOUD STORAGE SERVICE
© 2017 RedLock Inc. All rights reserved.
4
01 SENSITIVE DATA LEFT EXPOSED
During the planning phase, the Ocean’s Eleven team carried out reconnaissance
at the Bellagio to learn as much as possible about the security, the routines and
behaviors of the casino staff, and the building itself. They ultimately succeeded
in smuggling explosives into the Bellagio vault by having a team member pose as
a wealthy international arms dealer who needed especially secure safekeeping
for his valuables.
This analogy is all too familiar in the cybersecurity world where malicious actors
are continually attempting to exploit network vulnerabilities and breach
computing environments. Over the years, on-premises networks have been
hardened with access controls and encryption. Public cloud computing networks
are not immune to these issues and require similar security controls. The
RedLock CSI team studied public cloud computing environments to assess their
network security hygiene.
Key Findings
It is a common belief that data in transit should generally be encrypted.
However, the research revealed that 51% of the network traffic in public cloud
infrastructure environments is still occurring on port 80, the default web port
that receives clear (unencrypted) traffic. This makes the network vulnerable to
man-in-the-middle attacks.
Ideally, only load balancers and bastion hosts should be exposed to the internet.
However, the team found that 9% of workloads that were neither load balancers
nor bastion hosts were accepting traffic from any IP address on any port.
Best practices dictate that outbound access should be restricted to prevent
accidental data loss or data exfiltration in the event of a breach. Analysis showed
that an alarming 93% of resources in public cloud environments do not restrict
outbound traffic at all.
Tips
• Monitor and redirect unencrypted web traffic from port 80 to port 443
using HSTS.
• Ensure services are configured to accept traffic from the internet on an
as-needed basis.
• Implement a “deny all” default outbound firewall policy.
51%
9%
93%
NETWORK TRAFFIC IN THE CLOUD IS NOT ENCRYPTED
WORKLOADS ACCEPT TRAFFIC FROM ANY PUBLIC IP ADDRESS ON ANY PORT
RESOURCES DO NOT RESTRICT OUTBOUND
TRAFFIC AT ALL
© 2017 RedLock Inc. All rights reserved.
5
02 WEAK NETWORK CONTROLS INVITE TROUBLE
The Ocean’s Eleven crew posed as a SWAT team and entered the hotel without
raising any red flags. Subsequently, they walked out of the front doors of the
Bellagio with all of the money from the vault. We see this exact scenario play out
over and over again in cybersecurity: once malicious actors breach a network,
they are often able to exfiltrate data completely undetected. Preventing
unauthorized access in the first place is really critical. This is particularly
important in public cloud computing environments where potentially hundreds
and thousands of developers have access to critical infrastructure. The RedLock
CSI team analyzed user security hygiene in public cloud computing
environments.
Key Findings
The research revealed that 58% of root accounts do not have multi-factor
authentication (MFA) enabled. If any root user account is compromised, the
hackers will have keys to the kingdom. This is disturbing given the number of
recent high-profile breaches involving weak authentication.
On a similar note, 63% of access keys have not been rotated in the last 90 days.
This makes it easy for malicious actors to leverage compromised keys to
infiltrate cloud environments as privileged users.
The team also discovered that 14% of user accounts are dormant where
credentials are active but no logins have occurred in the last 90 days. This
introduces unnecessary risk to the public cloud computing environment.
Tips
• Enforce MFA on all user accounts, especially root accounts.
• Create a policy to force periodic rotation of access keys.
• Ensure that dormant accounts are disabled in a timely manner.
• Establish user behavior baselines and monitor for deviations to detect
anomalous user behavior.
58%
63%
14%
ROOT ACCOUNTS DO NOT HAVE MFA ENABLED
ACCESS KEYS HAVE NOT BEEN ROTATED IN 90 DAYS
USER ACCOUNTS ARE DORMANT
© 2017 RedLock Inc. All rights reserved.
6
03 POOR GOVERNANCE CREATES RISK
The average developer typically does not have any formal security training
which could result in accidentally exposing sensitive data and infrastructure to
malicious actors. The problem is further exacerbated in public cloud computing
environments where developers can rapidly adopt new technologies without
understanding the security implications.
Kubernetes is one such emerging technology that is rapidly gaining momentum.
It is an open-source system for automating deployment, scaling, and
management of containerized applications that was developed by Google in
2014. Kubernetes is being used in production by global brands including Box,
eBay, and the The New York Times. The RedLock CSI team studied Kubernetes
systems to understand common usage risks.
Key Findings
The researchers discovered 285 Kubernetes dashboards (web-based
administration interface) deployed on Amazon Web Services (AWS), Microsoft
Azure, and Google Cloud Platform that were not password protected. Upon
further investigation, the team found plaintext credentials to other critical
infrastructure within the Kubernetes systems. In many instances, the team
found plaintext credentials to an organization’s AWS accounts which creates
a domino effect of exposures.
Tips
• Enforce strong authentication mechanisms for Kubernetes systems.
• Train developers on security best practices for public cloud infrastructure
to maintain a strong security posture.
285
KUBERNETES DASHBOARDS WERE NOT PASSWORD
PROTECTED
© 2017 RedLock Inc. All rights reserved.
7
04 DEVELOPERS UNKNOWINGLY JEOPARDIZE SECURITY
05 ACHIEVING COMPLIANCE JUST GOT HARDER
Entities regularly undergo a variety of audits to ensure that the requirements of
particular laws and regulations are being met. With the move to cloud
computing, achieving compliance just got a lot harder. A whole new set of
cloud-specific best practices for configurations and access to resources has
been established against which organizations will have to achieve compliance.
This is extremely challenging in dynamic cloud computing environments since
resources are constantly changing. As a result, compliance auditing requires
automation. The RedLock CSI team assessed the compliance posture of public
cloud computing environments.
Key Findings
The research indicates that on average, organizations fail 55% of compliance
checks established by the Center for Internet Security (CIS). More than half the
violations (54%) are high severity issues such as having security groups that
allow inbound SSH connections. Medium severity violations such as not enabling
multi-factor authentication for all IAM users represent 37% of the issues. Lastly,
9% of the violations are low severity issues such as not logging Amazon Simple
Storage Service (S3) bucket access.
Tips
• Implement policies to observe the CIS Benchmarks.
• Continuously monitor cloud environment for compliance violations and
immediately remediate issues.
55%
OF CIS COMPLIANCE CHECKS FAIL
© 2017 RedLock Inc. All rights reserved.
COMPLIANCE VIOLATIONS BY SEVERITY
8
READY TO TAKE ACTION?
About RedLock
RedLock enables an organization to manage security and compliance risks
across its public cloud infrastructure such as Amazon Web Services, Microsoft
Azure, and Google Cloud Platform. The RedLock Cloud 360™ platform
continuously ingests massive volumes of raw, siloed data from the environment,
enriches it with external threat data, and applies machine learning to produce
a comprehensive risk map - no other solution provides this today. This holistic
visibility enables policy-based monitoring, anomaly detection, cloud forensics,
incident response, and compliance reporting.
Global brands across a variety of verticals trust RedLock to secure their public
cloud infrastructure including several Fortune 500 corporations. In addition,
RedLock was a finalist amongst hundreds of startups for the coveted title of
Most Innovative Startup at RSA 2017 in San Francisco.
Get a Free Risk Assessment
Get started in minutes and obtain a free risk assessment across your public
cloud infrastructure without hindering DevOps. The report will provide the
following insights:
• What infrastructure is running in your public cloud environment?
• Are you secure and in compliance with established cloud security best
practices?
• Is there anomalous user or network behavior in your environment?
More information: https://info.redlock.io/cloud-risk-assessment
“To protect our customers’ data,
we make it a priority to secure the
underlying public cloud
infrastructure. We need to
continuously monitor the
infrastructure as well as ensure
real-time visibility into risks, and
RedLock enables us to do just this
without impeding our agile
development processes.”
-
Bala Sathiamurthy
Head of Security, NerdWallet
© 2017 RedLock Inc. All rights reserved.
RedLock, RedLock logo, and RedLock Cloud 360 are trademarks of RedLock Inc.
All other registered trademarks are the properties of their respective owners.
To learn more:
Call: +1.650.665.9480
Visit: www.redlock.io
9
GET A FREE ASSESSMENT