Most security issues in the cloud can be traced back to someone doing something stupid. Sorry for speaking so openly, but I don’t see any master hackers around. I see misconfigured cloud resources like storage and databases leading to easily preventable vulnerabilities.
I always teach that your first line of defense is education, not great security tools. This is often overlooked as budgets are diverted to new tools rather than teaching managers not to do stupid things. Comparing the investment required versus the value gained is frustrating. Oh good.
A new threat
Although the invasion of clouds is suggested as a new threat, we have known this for years. What has changed is that as we move more assets to the public cloud and new people take care of those assets, there appears to be renewed interest in this vulnerability. Maybe bad actors are getting better at exploiting this.
[ Also on InfoWorld: How to choose a cloud data warehouse ]
The main problem is that cloud asset deletions often occur without removing the relevant records, which can pose security risks for subdomains. Failure to delete records allows attackers to exploit subdomains by creating unauthorized phishing or malware sites. This is called cloud squat.
Resources are often provisioned and distributed programmatically. Provisioning assets like virtual servers and storage is fast and typically done within seconds, but de-provisioning is more complex and that’s where disruptions occur.
We see multiple records being created that point to temporary cloud resources for different applications and tools; In this case, organizations cannot delete cloud assets and related records. Let’s discuss how this will happen.
Reducing cloud squatting
Identifying and remediating cloud invasion is difficult for large organizations with multiple domains. Moreover, global infrastructure teams have different training levels, and if there are 100 or more people on the security admin team, you are bound to encounter this issue several times a month. Remember that it is preventable.
To mitigate this risk, security teams design internal tools to scan company domains and identify subdomains that point to cloud provider IP ranges. These tools check the validity of IP records assigned to the company’s assets. These are automatically assigned by cloud providers. I always get nervous when companies create and distribute their own security tools, thinking that they might introduce a security vulnerability.
Reducing cloud invasion isn’t just about creating new tools. Organizations can also use dedicated IP addresses. This means transferring the IP addresses they have to the cloud, then keeping the old records, deleting them, and systematically using the DNS names.
If you’re not a network user and don’t know your DNS from your IRS, that’s okay. The idea is to eliminate the ability for old, undeleted records to be exploited. What you can do anyway is not a complicated process. Additionally, implement a policy to prevent hard-coding of IP addresses and the use of reserved IPv6 addresses (if offered by the cloud provider).
Two-stage approach
We can deal with this risk in two stages:
First address the large attack surface by implementing the mitigation strategies mentioned above.
Second, enforce policies regarding the use of DNS names and maintain regular records for effective management.
If this doesn’t seem too tiring, you’re right. But right now, two things that cause clouds to collapse are becoming a bigger threat.
The problem is that cloud deployments are expanding rapidly during the pandemic. Enormous amounts of data have been transferred to the clouds, spaces have been allocated to find that data, and little thought has been given to removing it once it becomes redundant. I often see this left out of distribution playbooks. When I call people out on this, I usually get the following response: “We haven’t had time to think about it.”
We are also currently working with a talent shortage. Many of these problems can be caused by inadequate training or the hiring of lower-tier cloud administrators to keep things going. Most of the time, certifications will get you a job, whereas actual experience is more important. I think most businesses will need to “touch the stove” to understand the impact.