Microsoft Azure Blob leak a lesson to CISOs about cloud security responsibility

In what appears to be a self-inflicted wound, Microsoft misconfigured its own Microsoft Azure Blob (cloud) storage buckets, which housed third-party data according to vpnMentor. The company in effect scored an own-goal in favor of those seeking to steal intellectual property.

vpnMentor published its timeline and interaction (or lack thereof) with Microsoft as its researchers discovered, then warned, the company of the discovered misconfiguration. A variety of organizations whose information was found within the data bucket were pitching Microsoft Dynamics in hopes of establishing a partnership with Microsoft.

The report described how over 100 “pitch decks” and source codes from 10 to 15 companies were exposed. Companies entrusted to Microsoft their ideas and intellectual property as part of their effort to become a part of the Microsoft Dynamics CRM/ERP ecosystem and unknowingly had their ideas and intellectual property placed at risk by the misconfiguration.

The shared responsibility model

As to who has ownership for such misconfigurations, the vpnMentor research team tells me, “We can say that the shared responsibility model puts the burden of properly securing data assets in the hands of the user. Various parties in user organizations may have different short-term priorities and different levels of understanding of concepts of security. This can end up leaving sensitive data exposed. Regardless of the underlying cloud stack, this can have dire consequences.”

The concept of “shared responsibility” is one CISOs should pursue: The cloud provider is responsible for the security of the cloud, while the customer is responsible for the security in the cloud. CISOs should drive this idea home to all who may be placing data into an externally controlled cloud storage environment.

We see with great regularity how cloud storage owners fail to make their storage buckets private. They often eschew the multiple levels of access and authentication process and procedures cloud providers have in place to be used to protect their data. As more and more of our data takes up residence in the cloud, be it Azure Blob or AWS S3, configuring the environment to restrict access from those without a need to know is basic table stakes.

The Microsoft misconfiguration was for 63 gigabytes of data, or 3,800 files, which had been created in 2016. While that may be viewed as inconsequential in 2021, the owner of the information should be the one to determine its current value.

Michael Quinn, CEO of ActiveCypher (and a former Microsoft executive), says, “In this instance, it’s hard to track down who actually is to blame. With external consultants, vendors, and expanding workforces having access to vast swaths of key data, companies are facing an uphill battle in their quest to create a secure data supply chain. The current network/ecosystem have in recent months been exposed as porous and prone to compromise, losing sight of the goal (data protection) and redoubling the effort has only resulted in the same outcomes.”  He adds that the “true approach” is to provide data protection at the file level regardless of the point of creation or whether it is at rest, in transit, or external. “[This] can negate the usefulness of the data being compromised even if exfiltrated.”

The case for cloud security posture management

The March 2021 “State of Cloud Security Concerns, Challenges and Incidents” survey report, prepared by AlgoSec in conjunction with the Cloud Security Alliance, noted how cloud storage misconfigurations are not limited to data exposure. The report highlights how 26% of outages were associated with a cloud provider issue, while another 21% were associated with a security misconfiguration.

The report also notes that about 50% of information security teams charged with security management were using cloud orchestration and management tools, with about 35% using home-grown scripts, and 29% using manual processes. Therefore, if the expertise does not reside in-house, then third-party providers with the necessary expertise to provide cloud security posture management (CSPM) services should be pursued. These CSPM providers can be expected to continually monitor the cloud instance, identifying and remediating evolving risks.

The number and frequency of configuration errors may lead IT executives to believe convenience of access to data is more important than securing the information. They would not be wrong. Security awareness and education initiatives explaining the “why” behind securely configuring cloud environments will be time well spent.