Welcome to the first post in an ongoing column, Cloud Watch, that will keep an eye on cybersecurity in the cloud service space.

Assuring the security of devices connected to Internet of Things (IoT) and especially Industrial IoT (IIoT) networks is a problem that’s not going away. The more devices that get connected, the more are getting hacked and attacked. But it’s not just devices — it’s their data that’s at risk. And that data is being shared and stored in the cloud.

As data processing and storage, data management, and data analytics of IoT/IIoT devices are shifted to the cloud, the need to access them by many different types of users has multiplied. This means a huge increase in the need to secure both the devices and their data, as cloud-related data breaches continue to occur.

One recent example is the exposure of personal data of thousands of UK business professionals from a misconfigured Amazon Web Services (AWS) server, discovered by researchers. Many other exposures of sensitive personal data in large cloud databases include last year’s Capital One breach, due to a misconfigured AWS firewall.

It’s not only AWS. Microsoft has issued patches for two major security flaws in its Azure cloud software that made Azure servers vulnerable to hacking. And of course those servers are storing someone’s sensitive information — maybe yours. Worse, those flaws were also discovered by outside researchers.

Design engineers might well ask, what’s the point of all the time and hassle needed to build good embedded security into endpoint IIoT devices if they’re guarded by inadequate cloud security? On one hand, we’re told that moving IIoT data handling, sharing and storage to the cloud is safer than a company’s own data center, because data centers of cloud service providers (CSPs) like Amazon, Microsoft or Google have better security measures.

On the other hand, once a breach does occur, whether caused by CSP or customer missteps, millions of highly sensitive personal or business data can be exposed to the entire world with long-lasting consequences. So it’s also true that moving customer data and proprietary information from on-premise equipment to the cloud vastly increases the potential attack surface now available to hackers.

Many cloud server breaches have occurred because of customer-caused misconfigurations. Verizon’s 2019 Data Breach Investigations Report found that misconfigurations and publishing errors were the top
“miscues” making data exposures possible. More than a third of error-related data breaches were due to misconfigurations on databases, often in cloud storage.

In infrastructure-as-a-service (IaaS) environments, 99% of those misconfigurations can go undetected, according to McAfee in its 2019 report on IaaS adoption and risk. “The enterprise companies we spoke to told us that they were aware of, on average, 37 misconfiguration incidents per month,” the report stated. “Yet our real-world data shows that companies actually experience closer to 3,500 such incidents.”

In a guide to mitigating cloud vulnerabilities posted last month, the National Security Agency (NSA) divides them into four types: misconfiguration, poor access control, shared tenancy-related, and supply chain-related. It states, “misconfiguration of cloud resources remains the most prevalent cloud vulnerability.” Cloud customers have greater control over the first two types, but can also take actions to protect resources against the last two. The guide says both service providers and their customers share responsibility, to a great or lesser degree, for each of these vulnerabilities.

NSA Cloud Shared Responsibility Model (Source: National Security Agency)

The Cloud Shared Responsibility Model is often cited to clarify who’s considered responsible for which security tasks. As the NSA guide says, under this model, “CSPs and cloud customers share unique and overlapping responsibilities to ensure the security of services and sensitive data stored in public clouds. CSPs are responsible for securing the cloud infrastructure, as well as implementing logical controls to separate customer data. Organizational administrators are usually responsible for configuring application-level security (e.g., access controls for authorization to data). Many CSPs provide cloud security configuration tools and monitoring systems, but cloud customers are responsible for configuring the service according to organizational security requirements.”

Companies will continue to offload IIoT data handling and storage tasks to cloud services for the clear advantages of cost reduction and improved efficiency. Hackers and other threat actors, both external and internal, will continue to attack those data aggregates in any way they can, and occasionally succeed. CSPs and other suppliers will continue to improve their cloud cybersecurity products. And Cloud Watch will keep an eye on all this and report the most significant events, breaches, and improvements.