Cloud Misconfigurations that Lead to Noncompliance
Uncover the main cloud misconfigurations that lead to data breaches and regulatory non-compliance and see how to address this challenge
Misconfigurations have become one of the top cloud security and compliance challenges in modern hybrid and multi-cloud environments. As 72% of organizations use two or more cloud providers, preventing misconfigurations and achieving regulatory compliance become increasingly challenging due to the rise in complexity and attack surface. According to Google’s 2024 Cybersecurity Forecast, threat actors will continue targeting vulnerabilities in cloud infrastructure and applications, particularly honing in on misconfigurations and insufficient identity protection.
By identifying and exploiting control deficiencies in the cloud, attackers can traverse laterally across interconnected cloud environments, which would potentially result in larger breaches. A massive cloud misconfiguration in Toyota discovered in June of 2023 led to the exposure of around a quarter-million of sensitive data. The data remained exposed from February 2015 (when the misconfiguration was made) and included in-vehicle device ID, map data updates, updated data creation dates, and map information (excluding vehicle location). The Toyota incident demonstrated how a single misconfiguration in a cloud environment can open the door to hackers as well as how long it can take before a breach is discovered.
In this blog, we are going to uncover the main cloud misconfigurations that lead to data breaches and regulatory non-compliance.
What are the cloud misconfigurations?
Cloud misconfigurations refer to insecure settings or vulnerabilities within a cloud infrastructure that significantly heighten the risks of security breaches and regulatory non-compliance. The common reasons for cloud misconfiguration include:
- First, modern multi-cloud and hybrid deployments are highly complex, so they demand deep expertise and resources to find the misconfigurations, not even to fix them.
- Second, as cloud infrastructure grows in complexity, administrators often lack visibility over the cloud system connections and controls. This leads to a dangerous tendency to give excessive permissions to users, review these permissions, and enforce access restrictions.
- Third, there is a concerning trend toward choosing default permission settings for all users to streamline management and evade handling a sudden increase in access requests.
- Finally, there is often a misunderstanding of who is responsible for securing data in the cloud - cloud providers themselves or their customers. To minimize the risk of misconfigurations, one must understand and follow the cloud Shared Responsibility Model. In short, this model means that the cloud provider — Amazon Web Service (AWS), Microsoft Azure, Google Cloud Platform (GCP), etc. — is responsible for the cloud’s physical and network infrastructure (security of the cloud). Their customers — your organization — are responsible for the security of your data, applications, and other assets that belong to your organization (security in the cloud).To dig deeper into this area and understand what’s customer’s responsibility in the cloud, read the blog post Your Part of Shared Responsibility in SaaS Cloud.
Attackers frequently exploit these misconfigurations as they grant access to corporate data and systems. As such, cloud misconfigurations lead to data breaches, downtime, and compliance issues.
Let’s see some real-life examples of cloud misconfigurations. A misconfiguration that was found in the Facebook database resulted in exposing sensitive personal information of over 530 million users. Full names, phone numbers, and some email addresses from user profiles were posted to an amateur hacking forum. Facebook decided not to notify the affected users that their data was stolen until April 2021. While Facebook posted an account about the attack on its blog saying they fixed the issue immediately, the reputational damage was tainted. The company had to answer to federal regulators to settle a privacy case with the Federal Trade Commission that included a $5 billion penalty paid by the company.
In March 2022, a major Turkish airline inadvertently exposed 6.5 terabytes of flight data, personally identifiable information (PII), and source code due to a misconfiguration of an AWS S3 bucket, resulting in inadequate access controls. The leaked data comprised more than three million files containing sensitive corporate information, including flight charts, insurance documents, and details regarding crew shifts, as well as personal data of both airline employees and customers.
Cloud misconfigurations that lead to non-compliance
Unprotected data storage
Cloud storage buckets and databases are left open to the Internet surprisingly often. Leaving cloud storage buckets like Google Cloud and Amazon S3 storage unprotected is an impactful misconfiguration that puts all the data at risk. Confusion between authenticated and authorized users in the AWS S3 security settings often leaves the storage accessible to everyone, including external users.
Two years ago, misconfigured AWS S3 buckets belonging to breast cancer support charity organization, Breastcancer.org, exposed 150GB of protected health information (PHI). The S3 bucket contained detailed exchangeable image file (EXIF) data, over 350,000 files, and more than 300,000 images including user’s avatars and detailed information about users’ medical test results. The exposed S3 bucket was identified by the researchers on November 11, 2021, and could be accessed by anyone over the Internet without the need for authentication.
Exposures of healthcare data such as this are a serious HIPAA violation for HIPAA-covered entities and business associates. Lucky for Breastcancer.org, it was neither the former nor the letter. However, even though the company avoided fines, the reputational damages from the incident are hard to overestimate.
Find more details about proper AWS cloud configuration in our blog posts HIPAA Compliance on AWS Cloud and PCI Compliance on AWS Cloud.
Improper IAM and excessive permissions
Cloud solutions streamline access to data and applications, yet introduce significant identity and access management risks. Managing multiple accounts and credentials along with the prevalence of mobile devices puts administrators at a challenge to support access across diverse devices and platforms while maintaining security standards and regulatory compliance. Thus, administrators face the challenge of properly configuring "anywhere, anytime, from any device" access without compromising security.
The Microsoft 2023 State of Cloud Permissions Risks report examines critical risk insights concerning identities and permissions within cloud environments. In summary, the complexity of multi-cloud setups is escalating, requiring cloud administrators to manage over 40,000 permissions. Workload identities accessing the cloud exceed human identities by a factor of ten. Moreover, among the 20 permissions granted, only one is typically utilized. All these, along with multiple other factors increase the identity and access management risks at least twice. Incorrectly configured permissions can lead to data breaches, security vulnerabilities, and regulatory non-compliance. The consequences of over-permissions can be dire, as unauthorized users may gain access to sensitive information or systems.
Excessive permissions and improper IAM are closely tied to human error. One of the most infamous data incidents in recent years that demonstrate this connection is a massive insider data breach with over 100 GB of sensitive information leaked. Employees’ sensitive personal information, customer bank details, production secrets, crash reports, and thousands of incidents of drivers expressing safety concerns over Tesla's Full Self-Driving (FSD) assistance system were stolen by the company’s former employees and shared with a German journalistic organization Handelsblatt. In a subsequent investigation of the breach, Tesla found that two former employees "misappropriated the information in violation of Tesla's IT security and data protection policies and shared it with the media outlet."
So, technically, the source of the hack was an insider threat. Still, one of the root causes of the incident was improper IAM policies that allowed them to access and exfiltrate sensitive data. Although the data were not disclosed publicly, there were many complaints about safety issues with the vehicles, along with a threat of a huge ($3.3 billion) fine due to data privacy violations under GDPR.
Exposed access to API keys
API, or application programming interface keys, are unique identifiers used by cloud services to authenticate and authorize access to their application programming interfaces (APIs). These keys serve as credentials that allow users or applications to interact with cloud resources programmatically, enabling tasks such as uploading files to storage, retrieving data from databases, or managing virtual machines. If mishandled or exposed, API keys can pose significant security risks, potentially leading to unauthorized access, data breaches, and regulatory non-compliance.
One of the most infamous cases of API access key misconfiguration was T-Mobile data breach. Hackers exploited an API to steal the data of around 37 million customers. While much of the stolen data is publicly available and may not trigger legal repercussions under state privacy laws such as the CCPA (California Consumer Privacy Act), it could face greater scrutiny under the GDPR in Europe.
Unencrypted Data
Unencrypted data in the cloud poses significant compliance risks, particularly within the scope of GDPR, CCPA, HIPAA, and PCI DSS. The 2023 Thales Cloud Security Study low levels of encryption being used by organizations. According to the findings, on average, less than half (45%) of cloud data is currently encrypted. The study also found a lack of control over encryption keys by businesses, with only 14% of those surveyed stating that they controlled all of the keys to their encrypted data in their cloud environments. In addition, almost two-thirds (62%) say they have five or more key management systems – creating increased complexity when securing sensitive data.
Unencrypted data leads to regulatory non-compliance, and increases the vulnerability of sensitive information to interception and unauthorized access by cybercriminals, heightening the risk of data breaches. Legal and regulatory penalties, loss of customer trust, and reputational damage further underscore the critical importance of implementing robust encryption measures to mitigate these compliance risks and protect sensitive data in cloud environments.
Inadequate monitoring
Inadequate monitoring in cloud environments significantly contributes to regulatory non-compliance, posing a serious risk to organizations. Without robust monitoring mechanisms in place, it becomes challenging to detect and respond to security incidents or breaches promptly.
This lack of visibility into cloud activities and data flows may result in violations of regulatory requirements, such as GDPR, HIPAA, or PCI DSS, which mandate stringent data protection measures and privacy standards. For example, failing to monitor access controls effectively could lead to unauthorized data access or breaches of confidentiality, directly contravening regulatory mandates. Additionally, inadequate monitoring may impede incident response efforts, prolonging the exposure of sensitive information and exacerbating compliance failures. Therefore, implementing comprehensive monitoring solutions tailored to cloud environments is essential for maintaining regulatory compliance and mitigating associated risks effectively.
How Planet 9 can help address the challenge of cloud misconfiguration
Ensuring security and compliance in the cloud is an uneasy, yet possible task. Although organizations struggle to configure their cloud services in accordance with specific federal, international, and industry-specific laws, misconfigurations are very common.
To address the challenge of cloud misconfiguration and ensure a secure, compliant cloud environment, Planet 9 provides
- Experienced professionals with extensive expertise in securing cloud services across IaaS, PaaS, and SaaS.
- Assistance in configuring the cloud services in compliance with specific laws, regulations, and security best practices
- Assessment of your cloud management accounts and infrastructure and providing recommendations for addressing identified security and compliance gaps.
Depending on the client’s internal resources, expertise, and availability, Planet 9 can perform all the remediation work, position the client to execute remediation on its own or supplement the client’s team.
Contact Planet 9 to learn more about cloud compliance.
