Firm Says Untrained Developers Jeopardize Cloud Security
Developers lacking security training unknowingly jeopardize public cloud computing environments, says a new report from RedLock Inc.
The firm, which says it's a "cloud infrastructure security company," found many security issues on public cloud infrastructure primarily caused by user misconfigurations, rather than any inherent problems in the platforms themselves.
RedLock yesterday published these findings its first "Cloud Infrastructure Security Trends" report. While identifying myriad problems in public cloud computing environments, the report featured the Amazon Web Services Inc. (AWS) cloud prominently.
"Shockingly, the team determined that 82 percent of databases in public cloud computing environments such as Amazon Relational Database Service and Amazon RedShift are not encrypted," the report said.
The report explained how untrained developers can contribute to security problems.
"The average developer typically does not have any formal security training which could result in accidentally exposing sensitive data and infrastructure to malicious actors," the report said. "The problem is further exacerbated in public cloud computing environments where developers can rapidly adopt new technologies without understanding the security implications."
It also identified several other issues besides sensitive data being left exposed, including weak network controls, poor governance and tough compliance complications.
Regarding the vulnerable databases, the security firm singled out MongoDB instances as a cause of worry to security professionals. Those open source databases were primary targets of a ransomware hijacking attack early this year.
"To make matters worse, 31 percent of those [unencrypted] databases were accepting inbound connection requests from the Internet, which is a very poor security practice," the report said. "Most notably, MongoDB instances saw significant inbound traffic with port 27017 being amongst the top five ports for inbound Internet connections."
And, again, AWS offerings were noted as examples.
"On a similar note, RedLock CSI researchers also discovered that 40 percent of organizations using cloud storage services such as Amazon Simple Storage Service (Amazon S3) had inadvertently exposed one or more such services to the public," the report said. "In March 2017, at least 20,000 customer records containing sensitive data were exposed at Scottrade due to such a misconfiguration."
Key highlights of the report as identified by RedLock in a news release include:
- Sensitive data such as PII [Personally Identifiable Information] and PHI [Protected Health Information] is left exposed because basic data security best practices such as encryption and access control are not being enforced.
- Network security is being overlooked by allowing unfettered access to sensitive applications.
- Lack of user access controls is leading to poor security hygiene amongst users.
- Achieving continuous compliance is hard in a constantly changing environment.
The company said its research team has identified 4.8 million exposed records with sensitive data, including PII and PHI.
The situation was so bad on the AWS cloud that the company last month issued an alert titled "Publicly Shared Amazon RDS and EBS Snapshots Expose Confidential Information." RedLock emphasized that the AWS issues weren't caused by the cloud platform itself -- they result from poor configuration practices on the part of cloud users.
"The RedLock security research team discovered a common misconfiguration in Amazon Relational Database Service (RDS) and Amazon Elastic Block Store (EBS) where snapshots have inadvertently been granted 'public' access," the April alert said. "This potentially exposes sensitive enterprise data to unauthorized users".
The alert specifically mentioned that RedLock found some 300,000 customer e-mails and encrypted passwords belonging to a Fortune 50 enterprise and about 500,000 customer and employee records belonging to a healthcare supply chain management vendor, with clients including most major healthcare providers.
RedLock further discussed last month's security alert in a blog post yesterday, in which the company said: "Any user with valid AWS credentials can easily find and access unencrypted data volumes that have been publicly shared and subsequently gain access to all the information stored within these backups. Customers are advised to immediately assess their infrastructure for this vulnerability and take appropriate actions to fix the configuration error."
Meanwhile, in yesterday's new follow-up research report, the company provided many tips for security-conscious organizations using public clouds, including:
- Automatically discover database and storage resources as they are created in a public cloud computing environments.
- Implement continuous configuration monitoring to ensure that encryption is enabled for these resources, and public access is disabled.
- Monitor network traffic to ensure these resources are not communicating directly with services on the Internet.
- Monitor and redirect unencrypted Web traffic from port 80 to port 443 using HSTS [HTTP Strict Transport Security].
- Ensure services are configured to accept traffic from the Internet on an as-needed basis.
- Implement a "deny all" default outbound firewall policy.
"Public cloud computing environments are incredibly dynamic -- our research shows that the average lifespan of a cloud resource is only 127 minutes -- and traditional security strategies can't keep pace," said RedLock CTO Gaurav Kumar in a statement. "Our report, which analyzed over 1 million cloud resources and 12 petabytes of network traffic, unmistakably shows the need for solutions that help manage security and compliance risks with ease, speed and automation."
In explaining the methodology behind the report, RedLock said that in addition to the RedLock CSI team's analysis across the company's customer environments, "the team also actively probed the Internet for vulnerabilities in public cloud infrastructure."
The RedLock report is the latest of many such research efforts that place the blame for security vulenerabilities squarely on developers, though the "rush to release" is often cited as a contributing factor, rather than lack of security training.
For example, here are several such reports that ADTMag has covered:
David Ramel is an editor and writer for Converge360.