Implement Zero Trust on the cloud | Microsoft's embarassing data exposure
CyberInsights #111 - Zero Trust on the Cloud | 38 TB of MS data inadvertently exposed
How do you implement Zero Trust Architecture (ZTA) in the cloud?
Cloud native, micro services driven applications require new thinking on Zero Trust
The concept is deceptively simple — Trust nothing.
Modern networks and applications are complex behemoths that are an interconnected web of connections. In 2020, NIST released the NIST 800-207, a standard explaining the basics of Zero Trust and the components of a Zero Trust Architecture. [LINK]
I wrote an explainer of it then which was published by CISO-MAG. [LINK]
Three years on, NIST has released an add-on, the 800-207A. This focuses on designing a zero trust framework for cloud native environments. [LINK]
This document focuses on hybrid environments.
The red parts are sort of ‘edges’ to different parts of the application and have policies deployed for trust management.
Take Action:
For Security Architects - If you are working with applications in cloud native or hybrid environments, this document will help you build and deploy zero trust for your application
If you are into threat modelling, you will find multiple tips to help you identify and control trust boundaries. Technically, zero trust and threat modelling go hand in hand.
38 Terabytes of confidential data exposed by Microsoft AI researchers
It was an embarrassingly simple blunder.
Riddle: What does it take to steal 38 Terabytes of confidential data?
Ans: An Azure storage bucket with generous permissions.
When Microsoft AI researchers wanted to publish open source training data for their models, they ended up publishing the entire bucket. It had 38 TB of confidential data. [LINK]. Makes you want to cry at the joke - “I’m more worried about natural stupidity than artificial intelligence.”
An excerpt:
"In addition to the overly permissive access scope, the token was also misconfigured to allow "full control" permissions instead of read-only," Wiz researchers Hillai Ben-Sasson and Ronny Greenberg said. "Meaning, not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well."
Take Action:
Microsoft took action by expanding its secret scanning service to include SAS tokens. SAS or Shared Access Signatures are tokens that allow sharing of access to storage buckets on Azure.
If you are a cloud security administrator, ensure that you have a mechanism to manage and track access tokens.
If you are the CISO, deploy a service that can scan your code base for inadvertent exposures - like publishing passwords, access tokens, onto public repos. These services are ‘secret scanning services’ and come at an additional cost. The cost might be worth it, if you have that kind of exposure.