Dawn van Hoegaerden
October 15, 2019
Many organizations make the same million dollar security mistake. They believe that enterprise security tools can seamlessly transfer to the cloud. Two recent high profile incidents highlight the need to rethink security with a move to the cloud.
Both Capital One and Imperva were hit through their AWS EC2 instances. In Capital One’s case, hundreds of millions of accounts were exposed by a misconfiguration of a web application firewall (WAF), compounded by extremely broad permissions. The attacker was able to use a Server Side Request Forgery vulnerability, which allows to access data behind the firewall, to steal database credentials. Once in, the attacker had unbridled access to everything on the server.
At Imperva, the weak link was a migration to an AWS relational database. During the move, an internal compute instance was exposed to the public, leading to unauthorized use of an AWS administrative API key. More than 13,000 customers were affected, exposing emails and passwords.
What’s the solution?
As Stephen Harris aptly summarized in his blog, Ramblings of a Unix Geek:
“I really am not a fan of the AWS security model; there’s far far too many knobs and controls, and it’s not clear how the interact with each other. It can be hard to even know something simple (“Is this server port 22 open to the internet?“) because of how configurations interact (security groups, routing tables, network ACLs, etc etc).”
Public cloud implementations are fraught with pitfalls. Many organizations do not realize that software they deploy to the cloud may not have default security features. Or, they have not thought of every outlier breach possibility. Some cloud databases for instance, if misconfigured, can expose its entire dataset to the internet.
Imperva has outlined new security policies and procedures (insert link) in the wake of this incident. One of those is to put all internal compute instances behind a VPN by default. While this is a good first step, it can still leave the internal network exposed to unauthorized access from compromised endpoints and insider threats.
Zero Trust is the answer
Fyde is built for the cloud. Our Zero Trust secure access platform is made for modern cloud-native enterprises. You never have to worry about a misconfiguration that exposes your business to the public internet. With Fyde as the gateway to your infrastructure, everything is private by default. All corporate resources and workloads reside within the private network. As an extra measure of security, Fyde provides full role-based and device-based access control to further segment data access and limit exposure.
While Imperva and Capital One made headlines this time, nearly every company is vulnerable to these types of attacks. Understand exactly what level of security AWS or any other public cloud provider offers and how that may impact your implementation. Re-evaluate your security portfolio prior to moving to the cloud. Simplify the process with a strong proxy that delivers both global and granular security controls.