Hushed Chaos: How Cloud Providers Conceal Security Flaws

Cloud solutions have become a new enterprise standard. Serverless security is now a major issue for mature businesses, but cloud providers – and their architecture – are muddying the waters even more.

App flaws used to be a similarly complex mess, before standardization and comprehensive documentation became the norm. Is it time for cloud providers to follow suit?

The Rise of Cloud

Cloud storage and computing have taken the world by storm. With easy-to-use interfaces and a huge emphasis on device cross-compatibility, cloud has totally overtaken on-premises architecture. Hosting and maintaining your own on-premises solution can be a time and space-consuming chore. As an individual, this is as simple as a small hard drive; as a business, this could require stacks of sensitive data to store and secure.

Cloud adoption has surpassed even industry estimates. Spending on cloud providers at the start of 2021 was certainly predicted to rise – Gartner predicted by 23%. Actual growth clocked in at over 30% as the vast majority of firms made the leap to cloud storage during the pandemic.

It makes perfect sense, after all – ditching the office meant storage and apps needed to match that WFH flexibility.

Many cloud services come with an easy-to-use user interface; they require very little training, and employees understand they can simply upload a file and access it from any other device. It doesn’t matter where you are right now. If you have a decent internet connection, company files can be accessed, and retrieved from their spot somewhere in an external data center.

Alongside an intuitive and user-friendly design, cloud also offers tangible benefits to those higher up the chain of command. From the perspective of a business leader, the scalability offered by cloud solutions is a major draw. Surely there’s got to be a catch…

Whose Job is it Anyway?

Unfortunately, the reality of cybersecurity is that – with every new industry-transforming solution – security is placed on the back foot. Ever-reactive, the security drawbacks of cloud solutions are only now starting to emerge.

With an on-premises solution, it’s entirely your responsibility to maintain and secure that sensitive data. On paper, it’s that simple. However, hosting your own data on someone else’s platform brings into question – whose job is it to keep this secure?

The answer that cloud providers have offered is shared responsibility. Some responsibilities are now the provider’s concern, and each provider will have its own specific boundaries. An easy way of conceptualizing this is that providers manage the security of the cloud environment, whereas it’s your job to manage the security of what’s in your cloud.

Even then, there are areas of overlap. Patch management can be a particular battleground, as providers need to patch and fix flaws within their infrastructure, whilst customers need to patch their applications and guest OS. Awareness and training need to be handled internally by each company. It’s a careful balance, demanding synchronicity across a provider and their clients.

Data storage isn’t the only thing that scales within a cloud environment: so too does security complexity. Consider a mature organization with dozens of teams, many with their own storage and data requirements. A single disconnect can leave the company’s cloud security in tatters.

Unfortunately, cloud providers hide behind this model, aware that there is no requirement to publish flaws to their clients.

Complete ChaosDB

This precarious balance has already seen a few major vulnerabilities in the last year alone. One example is the ChaosDB weakness within Microsoft’s Azure platform.

The Azure cloud service allows for application management via Microsoft-managed data centers. A fantastic tool for developers, Azure provides a host of services – including software as a service, platform as a service, and infrastructure as a service. It supports many different programming languages, tools, and frameworks.

In mid-2021, researchers discovered a major security oversight. The Azure architecture is based on CosmosDB; first, attackers could gain access to customers’ Cosmos DB access keys. Put simply, these both authenticate and escalate an attacker to full read, write and delete capabilities.

In 2019, Microsoft added a feature to Azure called Jupyter Notebook. This is a nifty tool that allows customers to visualize their data. The feature was then automatically enabled for every customer in February 2021. Unfortunately, a misconfiguration meant that an attacker could use one client’s notebook to gain access to data on others’ databases.

The infected account could then be used to snoop on and exfiltrate the sensitive data of thousands of major companies.

Thankfully, Microsoft acted rapidly, quickly pulling the Jupyter functionality and notifying 30% of affected customers.

How CVEs Aid Flaw Management

Given the increasing segmentation of the tech landscape, it is easy to overlook the weight of responsibility that a cloud provider holds. However, when providers take responsibility of architecture management, they become fundamentally responsible for an organization’s security.

Bizarrely, however, cloud providers hold no obligation to publicly publish the flaws they’re fixing.

Common Vulnerabilities and Exposures (CVE) is a program committed to identifying vulnerabilities in software, and collating them into a free “dictionary” for organizations to use as a security resource.

This dictionary offers a way to standardize each known vulnerability or exposure. Bugs and flaws collect a variety of names throughout their lifetime, and Standard IDs allow companies to access technical information about a specific threat, without the concern or confusion of different names.

Cloud vulnerabilities are very rarely issued CVEs, and this goes further than just education. AWS has previously struggled with flaws in its Identity Access Management (IAM) systems – this naturally is of major importance to a company’s security, encompassing password and account protection.

Remember how client-side patching is, in fact, the client’s responsibility? Even if AWS issues hundreds of security updates to its IAM policies, security teams do not have the tools to scan for them and prioritize a fix.

Securing Data on Insecure Infrastructure

While shared responsibility is the leading security model, you will never have control over your cloud provider’s infrastructure. That’s why it’s vital to secure your data within its environment.

Opt for a provider that offers encryption: this way, data at rest or in transit on the network is still unreadable, even if accessed maliciously. In the same vein, configure privacy settings in order to prevent third-party apps from accessing that sensitive info.

You can also check what period of time the service stores this data for, as well as what details it can get from your apps or devices. After your privacy settings are initially set up, make sure to re-configure them every couple of weeks to keep them safe.