How to avoid the pitfalls of cloud misconfiguration

For healthcare organizations looking to expand their cloud footprint, improving security through measures such as built-in encryption, network monitoring, and more frequent patches is often as important as increasing flexibility and reducing infrastructure costs. However, there’s one security risk that can easily be overlooked: Cloud misconfiguration.

A cloud misconfiguration is an error in implementing cloud architecture that leaves an organization vulnerable to hackers. The most common culprit is default configuration settings that provide inadequate access controls for storage services, databases, or containers that run virtualized applications. 

A Deloitte analysis noted that misconfigurations are common (found in more than 90% of cloud deployments) and largely go unnoticed (with only 1% of misconfiguration incidents identified by IT teams). Once detected, it can take days to fix a configuration error. The risk, of course, is a disclosure of personally identifiable information or protected health information – and a data breach mitigation price tag of more than $9.2 million, according to recent research from IBM Security. 

The strategy for preventing misconfiguration errors involves equal parts policy and technology – and both are intertwined, Deloitte suggested. The goal is twofold: Prevent breaches that result from misconfigurations and, at a larger level, prevent misconfigurations form happening in the first place.

On the technology side, each of the major cloud service providers (CSPs) – Amazon Web Services, Google Cloud, and Microsoft Azure – offers tools both for network security, such as an access control list to filter network traffic or a subnetwork, and for role-based access controls to restrict who can use which resources. 

In addition, each CSP sets its own cloud configuration settings and updates them regularly. Healthcare organizations should monitor these updates closely; their older cloud installations are likely to have older, less secure configurations in place and as a result may pose an undetected security risk.

Security tools from CSPs can be coupled with third-party products. These can include cloud management platforms, which are helpful for organizations that use multiple CSPs and the tools that come with them, and a cloud access security broker (CASB), which monitors activity on the cloud and helps enforce an organization’s overall security policies.

When it comes to policies, restricting user access is of the strongest protections against cloud misconfiguration loopholes. Policies can be as simple as a requirement for multi factor authentication or as through as a zero-trust model that requires continuous validation to access storage arrays, databases, application containers, or search functionality. 

A strategy of continuous cloud monitoring also helps organizations watch for suspicious activity (both internal and external), identify configuration risks such as open network ports, or spot any cloud installations that may not have received official approval. This lets IT teams nip problems in the bud – and then update policies to prevent similar problems from happening in the first place.

Brian Eastwood is a Boston-based writer with more than 10 years of experience covering healthcare IT and healthcare delivery. He also writes about enterprise IT, consumer technology, and corporate leadership.