Many organizations greatly benefit from moving their infrastructure to cloud, providing additional scalability, availability and seeming ease of use. But these features come with a price: the complexity of cloud deployments and configurations lead to significant exposures and could lead to sensitive data disclosure or even compromise of the cloud infrastructure. This presentation will present an offender and defender view of cloud platforms.
In early 2019 we conducted an in-depth survey of cloud services and identified a large number exposed or badly configured cloud services. Many think of exposed S3 buckets when talking about exposed cloud services, but we have identified a much larger variety of issues. Some lead to sensitive data disclosure, others could lead to access control/authentication bypass or authentication credentials disclosure. Exposed container services pose significant risks, when reachable from the Internet. We identified some in-the wild cases where attackers exploited some of these vulnerabilities and used them in variety of attacks – from attacks against online shopping platforms and inserting credit card harvesting code to plain deployments of botnets and crypto-mining software. We discuss these cases and explain how attackers were able to take advantage of the exposures. Many attackers consider cloud deployments as a weaker link and often target this link to target organizations.
Many of these issues are not vulnerabilities in cloud platforms, but rather are mistakes, misunderstandings and misconfigurations made by network engineers. We discuss what assumptions the engineers commonly make and what differences between in-house and cloud platforms are often not understood by them. We explain what mistakes these assumptions lead to and how to avoid them while deploying secure cloud platforms.
At last, we present a defender view on cloud services and explain how to improve security of cloud deployments by hardening cloud services and ensuring that certain aspects of cloud configurations are done right. We conclude the presentation with best practices we have been using and would recommend organizations to use in their cloud deployments.