<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

3 Costly Cloud Infrastructure Misconfigurations

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

It has never been easier for your company to build new infrastructure.  In just a few clicks, you can spin up shiny new servers and databases in the cloud and start using them in seconds.  

However, in the rush to deploy new services so quickly, companies often let information security be an afterthought, and leave critical vulnerabilities and misconfigurations exposed to the internet.  These issues can lead to costly breaches and damage your reputation as well.  

In this article, we will look at common cloud infrastructure misconfigurations and how to address them using StrongDM.

Cloud infrastructure security challenges

There are several misconfigurations companies make when setting up cloud infrastructure, here are 3 costly but avoidable ones:

Unprotected remote access

A report from ThreatStack assessed 200 companies using cloud infrastructure and found that nearly three-quarters of them had a service with at least one critical network security misconfiguration.  For example, 73% of the companies ran infrastructure with a wide-open SSH connection, thus allowing attackers to try and guess valid credentials 24/7. Companies sometimes expose database servers to the Internet as well, and if those servers are missing application or operating system security patches, cybercriminals might be able to gain access to those servers without needing credentials at all.  Services such as SSH and RDP should only be available behind a VPN connection which is ideally protected with two-factor authentication.

Improper permissions

In general, companies tend to over-provision user accounts with access to network resources by giving entire groups (such as the IT/security staff) the ability to see all files and make changes across all systems.   Worse yet, many administrator accounts are not configured to use strong passwords, so if just one of those many high-privilege accounts are compromised, the effects can be devastating to the organization. Instead, employees should have the minimal amount of rights necessary to do their jobs (the principle of least privilege), and that access should be subject to regular review to ensure it is always appropriate.

No logging/auditing in place

In the event of a security incident, arguably the most valuable asset to have - and that your incident response team will want to see - is logs.  Unfortunately, many companies are either not logging all their critical assets, or the logs are missing the kind of verbose data needed to be valuable to an investigation.  In the same vein, you need to be able to generate audit reports for your critical database servers and Web servers so you can answer some critical questions in real time: “Who was on this system, what were they doing, and when?”

Securing databases and servers with StrongDM

Tackling the cloud security challenges mentioned above are easier said than done, and a solution like StrongDM can greatly simplify the security, logging and auditing of your servers and databases.  Here are the implementation steps at a high level:

Setup StrongDM client

Once you have your StrongDM account setup, login and download the client software to your management workstation:

Acquire necessary access

You will need administrator level access to the networks, databases and servers you want to secure.  Typically, in a Microsoft Windows Active Directory environment, this is an account that has membership in the Domain Admins group.  Your databases might be Active Directory integrated as well, but commonly use independent sets of administrative credentials. You might also wish to create a new administrative credential (called “StrongDM” for example) to use with StrongDM.  This can help simplify installation and administration, and also easily identify this special administrative account when you’re looking through logs.

Provision a Linux server

To use StrongDM, you will also need to install a Linux server to host the StrongDM gateway.  You need to select a virtual server instance with at least two CPUs and four GBs of memory. As an example, something in the AWS T2 should work, but any cloud host will suffice.  If you’ve never built up a cloud Linux server before, our step-by-step tutorial on building a bastion host will help get you started with the necessary commands to deploy, update and start securing the server.

Create the StrongDM gateway

  1. In the StrongDM Admin UI, select the Relays tab and click Add Gateway.  
  2. Provide the public IP of your Linux server.  Also define the “bind IP,” which can be to represent all interfaces.  
  3. Click Create, and save the one-time use token that appears - you will need it later in the install.
  4. Log in to your Linux host and disable SELinux.
  5. Use the following commands to download, unzip and install the StrongDM relay:

curl -J -O -L https://app.strongdm.com/releases/cli/linux

unzip sdmcli_VERSION_NUMBER_linux_amd64.zip

sudo ./sdm install --relay

  1. You will be prompted to supply the relay token you received in step 3.  
  2. Once the install completes, enable SELinux (If you previously disabled it).
  3. Log in to the StrongDM Admin UI again and refresh your browser.  Under the Relay section you should see the new gateway you created with a status of Online.

Connect your datasources

Next, you will connect a database (called a “datasource”) following these steps:

  1. Ensure the datasource is accessible from your gateway server.
  2. Inside the StrongDM portal, click the Datasources tab and click Add Data Source.  You will then need to provide:
  • Display name - the name that will appear for users who have access to this datasource
  • Type of datasource - such as MySQL, SQL server, PostgreSQL, etc.
  • Database port
  • Database credentials
  1. Click Create and the new datasource should show up in the StrongDM portal.

Query the datasource

Now you should be able to query your datasource in the StrongDM portal:

  1. Click the Users tab.
  2. Select your username, then select your datasource from the Datasources tab.
  3. Open the StrongDM client on your local machine, login with your credentials and the datasource you created should appear.
  4. Click the datasource and look for a green lightning bolt, which indicates a connection has been properly made between the StrongDM client and datasource.
  5. Open your database client (such as Postico) and create a new connection with the host and port you assigned in your StrongDM client.  Leave the username and password blank, as authentication happens transparently through StrongDM.
  6. Click Connect, and you are now ready to run your first query.

With so much of our critical infrastructure and sensitive data living in the cloud, it’s important to have a solid grasp of who is accessing this sensitive information, what changes are being made to systems, and when.  To gain this deep level of visibility, you can go the DIY route and piece together the necessary software and services to get the job done. Or, consider StrongDM for a turnkey solution aimed to get you up and running quickly and easily.

You can try StrongDM right now with a free, 14-day trial or schedule a demo to speak with someone on the team.

About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

3 Types of Access Control: IT Security Models Explained
3 Types of Access Control: IT Security Models Explained
In this article, we will look at three important types of access control in security. You’ll learn about the different types of access control, how they work, and their pros and cons. By the end of this article, you’ll understand what type of access control will work best for your organization and meet your security needs.
Enterprise Cloud Security Guide
Enterprise Cloud Security Guide for 2022 and Beyond
Enterprise cloud security is quickly becoming a cybersecurity best practice for large organizations. In this article, we’ll explore what enterprise cloud security is, why it’s important, and the challenges organizations experience with enterprise cloud adoption. You’ll learn about common cloud security issues and the best practices you should adopt to avoid those issues. By the end of this article, you’ll feel confident choosing the right enterprise cloud solution for your organization
Enterprise Identity and Access Management (IAM) Solutions
Enterprise Identity and Access Management (IAM) Solutions
Enterprises often have thousands of users to manage, and therefore unique requirements for their enterprise identity and access management software solutions. In this article, you’ll learn what enterprise IAM is and what to expect in a successful enterprise-wide IAM software implementation. By the end of this article, you’ll know the benefits and challenges of introducing enterprise IAM solutions in your organization.
Top 8 Privileged Access Management (PAM) Solutions
Top 8 Privileged Access Management (PAM) Solutions in 2022
In this article, we’ll review the leading privileged access management (PAM) solutions on the market. We’ll explore the pros and cons of the top privileged access management vendors so you can easily compare the best PAM solutions. By the end of this article, you’ll feel confident choosing the right privileged access management solution for your organization.
Top Cloud Security Issues and Risks to Know
Top Cloud Security Issues and Risks to Know in 2022
In this article, we look at the top risks and security issues in cloud computing. You'll learn about specific cloud security threats and cloud storage security issues, as well as strategies for managing cloud security effectively. By the end of this article, readers will fully understand the top security issues related to using cloud-based file management tools and services.