Top 4 cloud misconfigurations and best practices to avoid them – TechTarget

As organizations use more cloud services and resources, they become responsible for a staggering variety of administrative consoles, assets, services and interfaces. Cloud computing is a large and often interconnected ecosystem of software-defined infrastructure and applications. As a result, the cloud control plane -- as well as assets created in cloud environments -- can become a mishmash of configuration options. Unfortunately, it's all too easy to misconfigure elements of cloud environments, potentially exposing the infrastructure and cloud services to malicious activity.

Let's take a look at the four most common cloud configuration misconfigurations and how to solve them.

Among the catalog of cloud misconfigurations, the first one that trips up cloud tenants is overly permissive identity and access management (IAM) policies. Cloud environments usually include identities that are human, such as cloud engineers and DevOps professionals, and nonhuman -- for example, service roles that enable cloud services and assets to interact within the infrastructure. In many cases, there can be many nonpeople identities in place. These can frequently have overly broad permissions that may allow unfettered access to more assets than needed.

To combat this issue, be sure to do the following:

Another typical misconfiguration revolves around exposed and/or poorly secured cloud storage nodes. Organizations may inadvertently expose storage assets to the internet or other cloud services, as well as reveal assets internally. In addition, they often also fail to properly implement encryption and access logging where appropriate.

To ensure cloud storage is not exposed or compromised, security teams should do the following:

Overly permissive cloud network access controls are another area ripe for cloud misconfigurations. These access control lists are defined as policies that can be applied to cloud subscriptions or individual workloads.

To mitigate this issue, security and operations teams should review all security groups and cloud firewall rule sets to ensure only the network ports, protocols and addresses needed are permitted to communicate. Rule sets should never allow access from anywhere to administrative services running on ports 22 (Secure Shell) or 3389 (Remote Desktop Protocol).

In some cases, organizations have connected workloads to the internet accidentally or without realizing what services are exposed. This exposure allows would-be attackers to assess these systems for vulnerabilities.

Vulnerable and misconfigured workloads and images also plague cloud tenants. In some cases, organizations have connected workloads to the internet accidentally or without realizing what services are exposed. This exposure enables would-be attackers to assess these systems for vulnerabilities. Outdated software packages or missing patches are another common issue. Exposing cloud provider APIs via orchestration tools and platforms, such as Kubernetes, meanwhile, can let workloads be hijacked or modified illicitly.

To address these common configuration issues, cloud and security engineering teams should regularly do the following:

Guardrail tools can help companies avoid cloud misconfigurations. All major cloud infrastructure providers offer a variety of background security services, among them logging and behavioral monitoring, to further protect an organization's data.

In some cases, configuring these services is as easy as turning them on. Amazon GuardDuty, for example, can begin monitoring cloud accounts within a short time after being enabled.

While cloud environments may remain safe without using services like these, the more tools an organization puts in place to safeguard its operations, the better chance it has to know if an asset or service is misconfigured.

More:

Top 4 cloud misconfigurations and best practices to avoid them - TechTarget