Here we go again. Data breaches are back in the news with a major settlement and the announcement of another major loss of sensitive personal data. While high-profile stories get the most coverage, it is important to understand that data breaches are very common. Seemingly simple errors can leave organizations exposed, leading to data loss and negative consequences for impacted customers. Breaches typically bring with them murmurs of the insecurity of open source software and cloud, even though most have happened within a company’s own on-premise systems. But organizations still need to be vigilant to vulnerabilities for both on-premise and cloud platforms.
In one recent case, reports identified the root cause of the data vulnerability as a misconfigured server on a cloud instance. Misconfigured servers may seem like an odd occurrence, but they are surprisingly common. McAfee reported in its 2019 Cloud Adoption and Risk Report that “organizations on average have at least 14 misconfigured IaaS instances running at any given time.” If you work for a large enterprise, this may seem insignificant, but McAfee continues that this equates to an average of 2,269 misconfiguration incidents per month. With these misconfigurations resulting in publicly readable data, the results essentially state that every organization is at risk.
Strategies to keep data secure
With analysts like Gartner predicting that cloud system infrastructure services will continue to grow, the focus on security of cloud-hosted data will likely grow in parallel as well. Below are three strategies you can employ to help minimize the risk of a misconfigured cloud server.
1. Understand your role in the “Shared Responsibility Model”
Shared Responsibility is a core tenant of the “as-a-service” business model. The role your organization plays in securing cloud-based applications is highly dependent on the types of service you use for your cloud deployment. Conceptually, software-as-a-service (SaaS) has the least burden on the client. Your team bears responsibility for system access and permission level. As you move to Platform-as-a-Service (PaaS), you are managing the user and developer populations. Finally, with Infrastructure-as-a-Service (IaaS) your responsibility will extend to network security and infrastructure security. This is the arena where misconfigured servers are the direct responsibility of your organization, rather than your service provider.
Understanding these models will enable you to confirm that your service providers are provisioning new servers and adding scale, while limiting the risk of a misconfigured instance. If you are managing infrastructure on your own, review your processes and automation to ensure you aren’t falling victim to one of the 10 most common misconfigurations identified by McAfee.
- Storage service data encryption is not turned on
- Unrestricted outbound access
- Access to resources is not provisioned using identity and access management (IAM) roles
- Compute security group port is misconfigured
- Compute security group inbound access is misconfigured
- Unencrypted machine instance
- Unused security groups
- Virtual private cloud flow logs are disabled
- Multi-factor authentication is not enabled
- File storage encryption is not turned on
Source: McAfee Cloud Adoption and Risk Report 2019
2.Understand how your architecture affects your infrastructure vulnerability
Cloud architecture continues to advance to enable the use of on-demand resources through technologies like containers and serverless computing. But these are still relatively new technologies, and there is still a significant installed base of virtual machines (VMs) in use globally. Over the next several years, we will continue to operate in environments that mix these cloud technologies.
Hastening migration to new forms of cloud architecture does not eliminate the risk of vulnerability through misconfiguration. Developing centers of excellence around your infrastructure platform of choice or partnering with service providers that can document their controls is paramount to employing cloud technologies securely.
3. Ensure the right policies and tools are in place across all the cloud models you employ
People are really at the center of any data breach. In order to deter the people in the equation, configuring the security controls that allow access is your first line of defense. Identity and access management (IAM) tools and procedures are critical to this effort. These not only set up access controls when provisioning new cloud resources, they manage access throughout the life of that resource. Adding additional security features like multifactor authentication strengthen access controls to keep systems accessible to authorized users only.
In addition, there are a host of tools you can employ to monitor and manage your infrastructure and system resources. We often think of these tools for managing scale, but there are several services you can employ that validate the configuration of cloud resources as well as track performance and access. Ensure that your monitoring tools span the physical, network, and logical layers of your platform. Many tools to monitor for vulnerability on the physical layer look for issues in the configuration of servers and networks.
How Pega Cloud approaches security
Pega Cloud Services provides Pega Platform™ and Pega applications in an “as-a-Service” model. Like other cloud providers, we have a shared responsibility model that details roles and responsibilities as they relate to platform and application security. Clients have comprehensive access controls, and our platform is monitored 24x7x365 from three global network operations centers designed for follow-the-sun support.
Our clients manage authorization and access to environments with access controls that can be tailored to both people and systems. This ensures that data access can be configured and revoked based on privileges defined both at a system and user level. We also provide ongoing operational support that extends to monitoring across the physical, network, and application layers. More information is available in our Guide to Pega Cloud Security.
Learn more:
- Learn how Pega Cloud helps you build and deploy cloud-based applications quickly and securely.
- See how Comerica Bank is using the cloud and Agile development practices to deploy mission-critical applications more quickly.
- Learn how the Pega Infinity™ portfolio of software is helping global enterprises engage without limits, automate from end-to-end, and scale easily.
- Experience the power of the Pega Platform with a free 30-day trial.