33
I L T A N E T . O R G
What is one result of implementing incorrectly? Data
breaches. And breaches abound. Worse, these may be self-
inflicted wounds as improper security configurations can
mean per force that a company's data is public. This is what
befell GoDaddy – which you can read about here.
Improperly configured permissions, user groups
and storage buckets as well as exposed APIs, code and
passwords are just a few sources of misconfigurations
leading to vulnerabilities. Of
course, the absence of well-
devised policies and procedures
– or the lack of adherence to
those that do exist – is always an
issue in the cloud or otherwise.
Even those that use cutting-
edge tools to manage cloud
security can misconfigure those
tools as well.
Clearly, the speed with
which organizations moved
to the cloud – taking months
to do what would normally
require years – was a key
driver of these issues. And
these misconfigurations are a
key source of exploitation for
hackers to gain entry and have
a good look around.
"What's surprising is that almost every one of these
breaches was due to a simple cloud setting that was not properly
configured . . . [and] over a billion customer accounts
and data records [have been] already exposed over the
internet." (Cloud Journey, 2019, emphasis added.) And
this was before the massive rush to the cloud necessitated
by Sars-CoV-2.
And Still There Are Those Endpoints
(and "Workspaces") to Secure
Hardening your cloud instance(s) and maintaining security
hygiene are still only part of the battle. Doing the same for
the network endpoints is another challenge altogether.
Hackers, even as sophisticated nation-state actors, do not
attack their actual point of interest. Rather they approach
vulnerabilities on the softer peripheries to gain access to
even the most hardened data
stores.
While a VPN can help,
if your employees are using
personal devices for work – or
for that matter, a work-issued
laptop for personal activities
– the vulnerabilities increase.
Virtual machines too, while
offering many security features,
can have the effect of bringing
your employees closer to the
applications running in the
cloud, creating vulnerabilities
if proper security controls are
not in place. Consider too an
organization's limited ability to
control personal IoT devices,
including printers, virtual
assistants like Alexa and
myriad other devices that connect to the employee's laptop.
The attacks on IoT devices are voluminous and
increasing. Kaspersky saw "105 million attacks on IoT
devices coming from 276,000 unique IP addresses in the
first six months of 2019" alone. They "found that while
most IoT attacks are not very sophisticated, they sure
are 'quiet,' showing little evidence of successful infection until
the victim is activated as part of a botnet." (Dark Reading,
"Hardening your
cloud instance(s)
and maintaining
security hygiene
are still only part of
the battle."