The ‘Cloud Infrastructure Security Trends’ released by RedLock, reveals several interesting insights about the vulnerabilities in major cloud environments, despite stated best practices. In 2017, the RedLock CSI team discovered 4.8 million exposed records that contain sensitive data belonging to dozens of organizations ranging from small businesses to Fortune 50 companies.
The data in the report is based on the RedLock CSI team’s analysis across customer environments which comprises of over one million resources that are processing 12 petabytes of network traffic. In addition, the team also actively probed the Internet for vulnerabilities in public cloud infrastructure.
As a best practice, databases containing sensitive data should always be encrypted. Failure to do so may result in violations to compliance mandates such as PCI and HIPAA. Shockingly, the team determined that 82% of databases in public cloud computing environments such as Amazon Relational Database Service and Amazon RedShift are not encrypted.
To make matters worse, 31% of those databases were accepting inbound connection requests from the internet, which is a very poor security practice. Most notably, MongoDB instances saw significant inbound traffic with port 27017 being amongst the top five ports for inbound internet connections.
On a similar note, RedLock CSI researchers also discovered that 40% of organizations using cloud storage services such as Amazon Simple Storage Service (Amazon S3) had inadvertently exposed one or more such services to the public. In March 2017, at least 20,000 customer records containing sensitive data were exposed at Scottrade due to such a misconfiguration.
It is a common belief that data in transit should generally be encrypted. However, the research revealed that 51% of the network traffic in public cloud infrastructure environments is still occurring on port 80, the default web port that receives clear (unencrypted) traffic. This makes the network vulnerable to man-in-the-middle attacks.
Ideally, only load balancers and bastion hosts should be exposed to the Internet. However, the team found that 9% of workloads that were neither load balancers nor bastion hosts were accepting traffic from any IP address on any port.
Best practices dictate that outbound access should be restricted to prevent accidental data loss or data exfiltration in the event of a breach. Analysis showed that an alarming 93% of resources in public cloud environments do not restrict outbound traffic at all. The research revealed that 58% of root accounts do not have multi-factor authentication (MFA) enabled. If any root user account is compromised, the hackers will have keys to the kingdom. This is disturbing given the number of recent high-profile breaches involving weak authentication.
On a similar note, 63% of access keys have not been rotated in the last 90 days. This makes it easy for malicious actors to leverage compromised keys to infiltrate cloud environments as privileged users. The team also discovered that 14% of user accounts are dormant where credentials are active but no logins have occurred in the last 90 days. This introduces unnecessary risk to the public cloud computing environment.
The research indicates that on average, organizations fail 55% of compliance checks established by the Center for Internet Security (CIS). More than half the violations (54%) are high severity issues such as having security groups that allow inbound SSH connections. Medium severity violations such as not enabling multi-factor authentication for all IAM users represent 37% of the issues. Lastly, 9% of the violations are low severity issues such as not logging Amazon Simple Storage Service (S3) bucket access.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]