3 Costly Cloud Infrastructure Misconfigurations

It has never been easier for your company to build new infrastructure.  In just a few clicks, you can spin up shiny new servers and databases in the cloud and start using them in seconds.  

However, in the rush to deploy new services so quickly, companies often let information security be an afterthought, and leave critical vulnerabilities and misconfigurations exposed to the internet.  These issues can lead to costly breaches and damage your reputation as well.  

In this article, we will look at common cloud infrastructure misconfigurations and how to address them using strongDM.

Cloud infrastructure security challenges

There are several misconfigurations companies make when setting up cloud infrastructure, here are 3 costly but avoidable ones:

Unprotected remote access

A report from ThreatStack assessed 200 companies using cloud infrastructure and found that nearly three-quarters of them had a service with at least one critical network security misconfiguration.  For example, 73% of the companies ran infrastructure with a wide-open SSH connection, thus allowing attackers to try and guess valid credentials 24/7. Companies sometimes expose database servers to the Internet as well, and if those servers are missing application or operating system security patches, cybercriminals might be able to gain access to those servers without needing credentials at all.  Services such as SSH and RDP should only be available behind a VPN connection which is ideally protected with two-factor authentication.

Improper permissions

In general, companies tend to over-provision user accounts with access to network resources by giving entire groups (such as the IT/security staff) the ability to see all files and make changes across all systems.   Worse yet, many administrator accounts are not configured to use strong passwords, so if just one of those many high-privilege accounts are compromised, the effects can be devastating to the organization. Instead, employees should have the minimal amount of rights necessary to do their jobs (the principle of least privilege), and that access should be subject to regular review to ensure it is always appropriate.

No logging/auditing in place

In the event of a security incident, arguably the most valuable asset to have - and that your incident response team will want to see - is logs.  Unfortunately, many companies are either not logging all their critical assets, or the logs are missing the kind of verbose data needed to be valuable to an investigation.  In the same vein, you need to be able to generate audit reports for your critical database servers and Web servers so you can answer some critical questions in real time: “Who was on this system, what were they doing, and when?”

Securing databases and servers with strongDM

Tackling the cloud security challenges mentioned above are easier said than done, and a solution like strongDM can greatly simplify the security, logging and auditing of your servers and databases.  Here are the implementation steps at a high level:

Setup strongDM client

Once you have your strongDM account setup, login and download the client software to your management workstation:

Acquire necessary access

You will need administrator level access to the networks, databases and servers you want to secure.  Typically, in a Microsoft Windows Active Directory environment, this is an account that has membership in the Domain Admins group.  Your databases might be Active Directory integrated as well, but commonly use independent sets of administrative credentials. You might also wish to create a new administrative credential (called “strongDM” for example) to use with strongDM.  This can help simplify installation and administration, and also easily identify this special administrative account when you’re looking through logs.

Provision a Linux server

To use strongDM, you will also need to install a Linux server to host the strongDM gateway.  You need to select a virtual server instance with at least two CPUs and four GBs of memory. As an example, something in the AWS T2 should work, but any cloud host will suffice.  If you’ve never built up a cloud Linux server before, our step-by-step tutorial on building a bastion host will help get you started with the necessary commands to deploy, update and start securing the server.

Create the strongDM gateway

  1. In the strongDM Admin UI, select the Relays tab and click Add Gateway.  
  2. Provide the public IP of your Linux server.  Also define the “bind IP,” which can be to represent all interfaces.  
  3. Click Create, and save the one-time use token that appears - you will need it later in the install.
  4. Log in to your Linux host and disable SELinux.
  5. Use the following commands to download, unzip and install the strongDM relay:

curl -J -O -L https://app.strongdm.com/releases/cli/linux

unzip sdmcli_VERSION_NUMBER_linux_amd64.zip

sudo ./sdm install --relay

  1. You will be prompted to supply the relay token you received in step 3.  
  2. Once the install completes, enable SELinux (If you previously disabled it).
  3. Log in to the strongDM Admin UI again and refresh your browser.  Under the Relay section you should see the new gateway you created with a status of Online.

Connect your datasources

Next, you will connect a database (called a “datasource”) following these steps:

  1. Ensure the datasource is accessible from your gateway server.
  2. Inside the strongDM portal, click the Datasources tab and click Add Data Source.  You will then need to provide:
  • Display name - the name that will appear for users who have access to this datasource
  • Type of datasource - such as MySQL, SQL server, PostgreSQL, etc.
  • Database port
  • Database credentials
  1. Click Create and the new datasource should show up in the strongDM portal.

Query the datasource

Now you should be able to query your datasource in the strongDM portal:

  1. Click the Users tab.
  2. Select your username, then select your datasource from the Datasources tab.
  3. Open the strongDM client on your local machine, login with your credentials and the datasource you created should appear.
  4. Click the datasource and look for a green lightning bolt, which indicates a connection has been properly made between the strongDM client and datasource.
  5. Open your database client (such as Postico) and create a new connection with the host and port you assigned in your strongDM client.  Leave the username and password blank, as authentication happens transparently through strongDM.
  6. Click Connect, and you are now ready to run your first query.

With so much of our critical infrastructure and sensitive data living in the cloud, it’s important to have a solid grasp of who is accessing this sensitive information, what changes are being made to systems, and when.  To gain this deep level of visibility, you can go the DIY route and piece together the necessary software and services to get the job done. Or, consider strongDM for a turnkey solution aimed to get you up and running quickly and easily.

You can try strongDM right now with a free, 14-day trial or schedule a demo to speak with someone on the team.

About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

SASE vs. CASB: Everything You Need to Know
SASE vs. CASB: Everything You Need to Know
In this article, we’ll take a big-picture look at how SASE and CASB solutions fit into the enterprise security landscape. We'll explore the key differences between SASE and CASB and explain how each tool helps ensure enterprise security. You will gain an understanding of how SASE and CASB solutions compare and which might be suitable for your organization.
What is CIEM? Cloud Infrastructure Entitlement Management
What is CIEM? Definition, Benefits, Limitations & More
As more enterprises migrate to the cloud, access management and security has grown more complex. Cloud infrastructure entitlement management (CIEM) solutions emerged to address these challenges. In this article, we’ll take a broad look at what CIEM is, how it works, why it’s important, and how it differs from and works with other cloud management solutions.
What is DevOps Security?
What is DevOps Security? Challenges and Best Practices
What are the biggest security challenges facing DevOps, and how can practitioners overcome them? In this article, Good e-Learning and strongDM examine how DevOps engineers can work to guarantee security across their cultures.
Cloud Infrastructure Security
Cloud Infrastructure Security | 3 Costly but Avoidable Mistakes
The cloud has changed the way we access and secure technical infrastructure, leaving teams lost in a tangle of resources. Thankfully, access doesn’t have to be this complicated. Join Hermann Hesse, VP of Solutions at strongDM, as he shares three costly but avoidable cloud infrastructure security challenges and what you can do to address them.
Enterprise Kubernetes
Kubernetes in the Enterprise Webinar Recap
Join strongDM CTO Justin McCarthy and a panel of experts as they discuss the challenges, complexities, and best practices of enterprise k8s adoption.