No Encryption on 82 Percent of Public Cloud Databases, Says Report
Other problems: weak network controls, poor governance, developer-caused security risks and tough compliance complications.
A new RedLock Inc. research report shows a sorry state of public cloud security, finding 82 percent of hosted databases remain unencrypted, among many other problems.
RedLock, which describes itself as a cloud infrastructure security company, yesterday published its first "Cloud Infrastructure Security Trends" report, finding myriad problems in public cloud computing environments, with the Amazon Web Services Inc. (AWS) cloud being featured prominently.
"Shockingly, the team determined that 82 percent of databases in public cloud computing environments such as Amazon Relational Database Service and Amazon RedShift are not encrypted," the report said.
It also identified several other issues besides sensitive data being left exposed, including weak network controls, poor governance, developer-caused security risks and tough compliance complications.
Regarding the vulnerable databases, the security firm singled out MongoDB instances as a cause of worry to security professionals. Those open source databases were primary targets of a ransomware hijacking attack early this year.
"To make matters worse, 31 percent of those [unencrypted] databases were accepting inbound connection requests from the Internet, which is a very poor security practice," the report said. "Most notably, MongoDB instances saw significant inbound traffic with port 27017 being amongst the top five ports for inbound Internet connections."
And, again, AWS offerings were noted as examples.
"On a similar note, RedLock CSI researchers also discovered that 40 percent of organizations using cloud storage services such as Amazon Simple Storage Service (Amazon S3) had inadvertently exposed one or more such services to the public," the report said. "In March 2017, at least 20,000 customer records containing sensitive data were exposed at Scottrade due to such a misconfiguration."
Key highlights of the report as identified by RedLock in a news release include:
- Sensitive data such as PII [Personally Identifiable Information] and PHI [Protected Health Information] is left exposed because basic data security best practices such as encryption and access control are not being enforced.
- Network security is being overlooked by allowing unfettered access to sensitive applications.
- Lack of user access controls is leading to poor security hygiene amongst users.
- Developers are inadvertently introducing risks due to lack security expertise, especially when it comes to new technologies like containers.
- Achieving continuous compliance is hard in a constantly changing environment.
The company said its research team has identified 4.8 million exposed records with sensitive data, including PII and PHI.
The situation was so bad on the AWS cloud that the company last month issued an alert titled "Publicly Shared Amazon RDS and EBS Snapshots Expose Confidential Information." RedLock emphasized that the AWS issues weren't caused by the cloud platform itself -- they result from poor configuration practices on the part of cloud users.
"The RedLock security research team discovered a common misconfiguration in Amazon Relational Database Service (RDS) and Amazon Elastic Block Store (EBS) where snapshots have inadvertently been granted 'public' access," the April alert said. "This potentially exposes sensitive enterprise data to unauthorized users".
The alert specifically mentioned that RedLock found some 300,000 customer e-mails and encrypted passwords belonging to a Fortune 50 enterprise and about 500,000 customer and employee records belonging to a healthcare supply chain management vendor, with clients including most major healthcare providers.
RedLock further discussed last month's security alert in a blog post yesterday, in which the company said: "Any user with valid AWS credentials can easily find and access unencrypted data volumes that have been publicly shared and subsequently gain access to all the information stored within these backups. Customers are advised to immediately assess their infrastructure for this vulnerability and take appropriate actions to fix the configuration error."
Meanwhile, in yesterday's new follow-up research report, the company provided many tips for security-conscious organizations using public clouds, including:
- Automatically discover database and storage resources as they are created in a public cloud computing environments.
- Implement continuous configuration monitoring to ensure that encryption is enabled for these resources, and public access is disabled.
- Monitor network traffic to ensure these resources are not communicating directly with services on the Internet.
- Monitor and redirect unencrypted Web traffic from port 80 to port 443 using HSTS [HTTP Strict Transport Security].
- Ensure services are configured to accept traffic from the Internet on an as-needed basis.
- Implement a "deny all" default outbound firewall policy.
"Public cloud computing environments are incredibly dynamic -- our research shows that the average lifespan of a cloud resource is only 127 minutes -- and traditional security strategies can't keep pace," said RedLock CTO Gaurav Kumar in a statement. "Our report, which analyzed over 1 million cloud resources and 12 petabytes of network traffic, unmistakably shows the need for solutions that help manage security and compliance risks with ease, speed and automation."
In explaining the methodology behind the report, RedLock said that in addition to the RedLock CSI team's analysis across the company's customer environments, "the team also actively probed the Internet for vulnerabilities in public cloud infrastructure."
David Ramel is the editor of Visual Studio Magazine.