More trouble in the cloud
If you leave out Germany – which is well-known for taking a strict approach to privacy concerns, cloud growth figures are impressive. This year, cloud service revenue is expected to reach USD 212 billion, up from 182.4 billion dollars in 2018. Gartner predicts that the market share and growth of the cloud services sector will be nearly three times that of all regular IT services by 2022. And even the conservative Germans, who are still quite suspicious about data protection and data security in the cloud, are not completely abstinent – 73% of businesses in Germany reportedly use the public cloud, with a revenue of EUR 22.5 billion expected by 2020. Good times are clearly ahead for cloud providers.
The list of top performers in the Gartner report is not just an indication of which shares are likely to perform well in the coming years. It is also intended to counteract recent findings by Palo Alto, which identify some of the more negative aspects of the public cloud – as can be expected from a security provider. It shows – once again – that there is a lack of basic protective measures and that business data and applications are not as secure as they should be by far, even though they could be. Public cloud is nothing new, certainly not for the big names in the business such as AS, Microsoft Azure and Google Cloud. But in the first half of 2019 alone, there were more than 20 major security incidents with public cloud platforms reported in the media. The incident at Capital One last week – which also focused on cloud security – caused a worldwide sensation.
Palo Alto describe the most catastrophic failures which simply should not be allowed to happen any more. It is rarely the cloud service providers who are at fault: Microsoft, Amazon and Google have done their homework, the infrastructure of the public cloud is stable and secure. The most hair-raising errors are made by the users themselves. Security analysts discovered 40,000 cloud container systems such as Kubernetes and Docker, which were configured with their default accounts and access data and accessible from the Internet. These containers could be easily identified using a simple keyword search. Other problems are more familiar and have been facing companies for quite some time. According to Palo Alto, 28 percent of the public cloud users surveyed communicate with malicious cryptomining C2 domains belonging to the Rocke group.
Perhaps slightly more dramatic is the callous use of remote access protocols – researchers were able to find many open RDP ports. RDP vulnerabilities come up over and over again, the last major incident was BlueKeep in May 2019. It doesn't look any better for SSL/TLS. Although TLS version 1.1 was replaced by TLSv1.2 in 2008, 61 percent of organizations still had TLSv1.1/1.0 enabled and outdated versions of SSL in use. Unfortunately, the most common browsers still accept the outdated protocols, but that should be over by 2020. Overall, it was found that 56 percent of the companies had at least one SSH service open to the Internet and almost 40 percent of the companies had at least one RDP service open to the Internet. There is no reason to allow incoming traffic from the entire Internet (0.0.0.0.0.0/0) to services such as SSH, RDP, or SMB. Such entry points should always be tunneled through a VPN. If ad hoc access is required, for example by an external service employee, there are methods such as one-time passwords with a limited duration.
The full list of discovered (and more than avoidable) security breaches would cover a few more pages. But the details are less important than the key takeaway here: Companies are neglecting the security of public cloud environments. Cloud providers and users share responsibility in the public cloud, in every model, be it IaaS or PaaS. And while providers fulfill their part of the contract, users do not. It is then only to be expected that 65 percent of reported incidents in cloud infrastructure were related to user misconfiguration. Companies who take this lax attitude should not be surprised by the increase in security incidents with data breaches (see Capital One).