Conformity
Top 10 Azure Cloud Configuration Mistakes
Trend Micro Research determined the top 10 Azure services with the highest configuration rates.
- Related article: Top 10 AWS Security Misconfigurations: Misconfigurations pose the biggest threat to cloud security. We compiled the top 10 AWS services with the highest misconfiguration rates.
Misconfigurations remain the biggest threat to cloud environments, and with digital transformation continuing to accelerate, it is critical to mitigate risks before malicious actors exploit them. Manually checking all services, applications, and tools is time-consuming and overwhelming; it’s no wonder human error is the main cause of misconfigurations.
Automating misconfiguration checks is a savior. Not only does is save time, reduce errors, and streamline compliance but it helps you hold up your end of the shared responsibility model. With all this taken care of, security teams can breathe a little better, and developers are free to build with the agility required by today’s world. However, if you’re not using a security solution with automated scans, knowing which Azure services are most at risk is a good starting point to remediating misconfigurations.
That’s why Trend Micro Research analyzed data gathered through Trend Micro Cloud One™ – Conformity within a one-year period (June 30, 2020 to June 29, 2021) to determine the top 10 Azure services with the highest misconfiguration rates regarding the implementation of Conformity rules.
Top 10 Azure services with the highest misconfiguration rates
To determine the top 10 misconfigurations, we looked at the Azure services with the greatest number of Conformity checks. These checks are the result of the Conformity rules scanned or run against our Conformity customers’ configuration of infrastructures or resources. A single cloud service can have numerous Conformity rules regularly scanning it to check for vulnerabilities and risks. These scans will subsequently result in checks. Each Conformity rule comes with a corresponding implementation, and the checks that run against the rules determine the success or failure of these implementations.
It should be noted that the number of checks does not represent the level of misconfiguration or the risk level of a particular service. Conformity users can choose to run a few or numerous checks simultaneously against their infrastructures and resources. We then highlighted their respective misconfiguration rates, which are the percentage of rules found to be unsuccessfully implemented after a scan.
Next, we highlighted their respective misconfiguration rates, as shown in Figure 1. This is the percentage of rules found to be unsuccessfully implemented after a scan.
Top misconfigured rules for Azure services
Let’s look at three top misconfigured services for Azure and the Conformity rule for that service with the highest misconfiguration rate.
Service: Azure Activity Log
Rule(s): "Create alert for ‘delete PostgreSQL database’ events" and “create alert for ‘create/update PostgreSQL database’ events”
The top misconfigured rules for Azure Activity Log are related to PostgreSQL, a fully managed database-as-a-service platform. "Create alert for ‘delete PostgreSQL database’ events" and “create alert for ‘create/update PostgreSQL database’ events” both have a high misconfiguration rate of 99.10%.
When improperly configured, PostgreSQL databases can be abused for cryptocurrency mining, as the PGMiner botnet operation discovered in 2020. It’s essential for users to regularly check the Azure Activity Log, as it provides data that pertains to configuration changes. Accurately collecting and analyzing Azure Activity Log data can enable users to keep an eye out for potentially malicious activity across their systems.
Service: Azure Virtual Machines (VM)
Rule(s): "Install approved extensions only” and “enable automatic OS upgrades”
With a misconfiguration rate of 100%, "install approved extensions only” and “enable automatic OS upgrades” are (unsurprisingly) the top misconfigured rules for Azure VM. When vulnerable extensions are used in Azure environments, it can lead to elevation of privilege and remote execution attacks. Recently, malicious actors abused the Azure OMIGOD vulnerabilities in the Open Management Infrastructure (OMI) framework used by several Azure VM management extensions. Microsoft has since issued extension updates for these vulnerable extensions.
How can organizations prevent misconfigurations in the cloud?
For organizations looking to prioritize digital transformation, all roads lead to cloud adoption. And while CSPs generally do a good job at securing the infrastructure of the cloud services they offer, users must understand it’s their responsible to correctly configure the services.
Here are some security recommendations for keeping misconfigurations and threats at bay:
- Principle of least privilege: Only give users the necessary access or permission (such as admin or root privilege) that they need to operate. If a user with admin access becomes compromised, a malicious actor can go on to compromise the entire network. By limiting the number of people with admin and root privileges, the risk of compromise effectively becomes lower.
- Adhere to the shared responsibility model: When users understand the operational tasks that they’re responsible for (such as monitoring, upkeep, a patching), the risk of misconfigurations occurring is minimized. Azure provides guidance explaining the shared responsibility model to their users.
- Educating and training team members: It’s vital for team members to understand their responsibilities regarding security. From identifying unsecure practices to promptly reporting security issues, everyone should be educated and trained on which threats and misconfigurations to watch out for.
- Creating and implementing security policies, standards, and procedures: Policies pertaining to the use of open-source components, remote access, password creation and management, encryption and decryption, and database management should be created and strictly enforced.
Next steps
Knowing which Azure services are commonly misconfigured enables DevSecOps teams to customize automated Conformity scans, ensuring they’re continually checking for misconfigurations on Azure services in their infrastructure. This helps prove compliance and governance without tedious manual tasks, allowing developers to build securely with little interruptions.
Conformity is one of 7 solutions comprising the Trend Micro Cloud One™ security services platform for organizations building in the cloud. It delivers flexible and scalable all-in-one security that helps DevOps and security engineers securely build and innovate as they migrate to and build in the cloud.
Looking to audit your environment to see how you hold up? Sign up for a free, 30-day Trend Micro Cloud One trial today.