Cloud misconfigurations are a costly vulnerability. Data breaches caused by improper or lax settings of cloud services exposed 33 billion data records in 2018 and 2019, according to a report from DivvyCloud^[1].

Any breach suffered by a U.S. federal government organization would be a significant problem. Agencies collect, process and store considerable volumes of sensitive data including citizen information and national secrets.

That’s why you must take steps to lock down public-facing content and ensure that the proper governance and control measures are in place.

The Reasons for Misconfigurations

Many federal agencies are taking advantage of the speed and cost efficiencies of public cloud services like AWS, Google Cloud Platform, and Microsoft’s Azure. Although these providers ensure secure infrastructure, you must protect what’s inside — including applications, workloads and data. That means you’re also responsible for the configurations of whatever is uploaded to the cloud.

Unfortunately, many organizations rely on default settings or pre-configured cloud services. These settings may not offer the right level of security for public-facing content. For example, many cloud endpoints are public-facing as a default setting. If your team is focused on getting cloud services up and running, they may not notice these defaults. However, they must be locked down out of the gate to avoid risks.

Some common oversights include:

• Encryption is not turned on
• Security ports are misconfigured
• Authentication or access policies are not enabled
• Load balancers are not locked to public viewing
• Security groups for troubleshooting are left wide open
• Public cloud storage resource settings are not locked down

Another problem area: Access keys. These keys determine access to data. They can be a significant security loophole because they can be used to access your cloud workloads and applications from any location. Federal agencies should use key access rotation policies.

Want to ensure your federal agency is prepared with solid cloud security? Find out how by reading our Guide to Achieving Cloud Security for Federal Agencies.

These misconfigurations typically arise due to Insufficient in-house expertise. Most organizations — including in the private sector – have a knowledge base that may be more attuned to on-premises or data center security. Unfortunately  these skills don’t translate to cloud security. The cloud is built on dynamic services and infrastructure that requires unique skills and expertise. Not all federal agencies have or can attract sufficient in-house talent to ensure proper cloud configurations.

Considerations to Avoid Misconfigurations

There are tools that federal agencies can use to lock down cloud security. Sometimes cloud-native tools — such as Amazon Inspector, Microsoft Azure Security Center, Google Cloud Loss Prevention, as well as identity and access management solutions from all of the public cloud providers — can be sufficient resources to help identify potential misconfigurations. 

However, these tools often require a higher level of skillsets to deploy and manage them. Also, they require several other tools to conduct forensics of a data breach. For example, if you’re using an AWS cloud environment, you would also need:

• AWS Config, which is the AWS resource configuration item change tracking tool
• AWS CloudTrail for API logging
• AWS CloudWatch for custom logging
• AWS Flowlogs

In addition, these tools would need to be coupled with root cause analysis (RCA) tools to maintain the desired state of forensic monitoring, as well as maintaining records in an AWS Audit Account, which is a restricted-access account. This ensures there is a clear record of the incident, including how and when it happened. Better yet, RCA maintains the following security configurations to minimize the window for a potential security breach:

• The disabling of S3 public bucket access
• The security groups to limit access to required communications
• Ensures CloudTrail, AWS Config, AWS CloudWatch, and AWS Flowlogs are not turned off

There are also open-source tools you can use to check for misconfigurations, including Perimeterator, Cloudfrunt, Watchmen, and CloudQuery . Here again, there are varying levels of difficulty to implement them.

In addition, federal agencies should put governance — access rights policies, monitoring, and reporting functionality — around any cloud services where sensitive data is involved. Doing so helps ensure that should a vulnerability or incident occur, remediation gets underway immediately.

Your organization’s ability to counter the risks of cloud misconfigurations and the chances of data breaches ultimately is limited by  your in-house knowledge base and expertise.

If there is any hesitation, your agency should consider augmenting in-house security talent with outside expertise. The right partner can fill cloud security knowledge gaps.

How We Can Help

Simple Technology Solutions (STS) has first-hand experience and expertise with cloud security. We have helped federal agencies recover from security incidents and lock down their cloud environments to avoid misconfigurations, vulnerabilities, and potential data breaches.

We are:

An Advanced, Small Business Multi-Cloud Provider. Our advanced partnerships include Amazon Web Services, Google Cloud Platform (GCP), Microsoft Azure, and more. We are the only small business with AWS Government competency and Advanced partner tier status. We also  implemented one of the first FedRAMP compliant GCP IaaS cloud hosting environments in the federal government.

Experienced. Our expertise includes a deep bench of multi-cloud engineers skilled in Agile, DevOps, CI/CD and Agile Lean processes. We are expert at establishing enterprise federal  IaaS and PaaS shared service environments, and bring a suite of cloud governance and security automation solutions to our engagements.  The STS team has more than 100 technical professional certifications across the major CSPs. 

HubZone Committed. STS is a HUBZone company dedicated to using technology to create jobs in underserved communities. We are passionate believers - and living proof! - that technology can be a socioeconomic onramp for minority groups historically left behind the digital divide. We leverage the STS Apprenticeship Program, the first Apprenticeship Program certified by DC Government, to develop individuals in HUBZone communities with little to no IT skills into cloud engineers.

No one wants to testify before Congress on why their FITARA scorecard grade went down. Download our eBook "Guide to Achieving Cloud Security for Federal Agencies" to ensure your federal agency is prepared with solid cloud security.

^[1] DivvyCloud, February 2020, “Cloud Misconfigurations Report,” https://divvycloud.com/wp-content/uploads/2020/02/Cloud-Misconfiguration-Report-FINAL.pdf