By Thyaga Vasudevan
VP, VP of Product Management, Skyhigh Security

Dubbed “BlueBleed,” a recent Microsoft breach discovered by threat intelligence provider SOCRadar sheds light on the risks of misconfigured cloud storage buckets and demonstrates that companies cannot totally rely on Cloud Service Providers (CSPs) to provide and assume responsibility for security assurance. Misconfiguration errors continue to be a prevailing cause of breaches, according to the Verizon 2022 Data Breach Investigations Report, which shows that they were the cause of 13% of the past year’s breaches. Since misconfigurations are a result of human error, it should be assumed that no CSP is entirely secure.

What happened

In its October 19th response, Microsoft Security Response Center (MSRC) said that it had an “unintentional misconfiguration” that led to the “potential for unauthenticated access” of customer data, which the organization says contained “names, email addresses, email content, company names, and phone numbers and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner.” The MSRC provided no further details regarding the number of companies affected and apparently downplayed the incident.

According to SOCRadar, in a next day follow-up to the original post, the breach involved six large cloud buckets consisting of sensitive data belonging to 150,000 companies in 123 countries. The largest of those misconfigured buckets contained 2.4 TB of data belonging to 65,000 entities in 111 countries.

On October 20, well-known cybersecurity researcher Kevin Beaumont reported that the Microsoft bucket had been publicly indexed and readable for months by services such as Grayhat Warfare. He claimed that MSRC’s official statement shows it had “no idea how cybersecurity works in the real world” and that its apparent failure to notify regulators and refusal to tell customers what data was taken has the “hallmarks of a major botched response.”

An October 21 article by The Hacker News reports: “There is no evidence that the information was improperly accessed by threat actors prior to the disclosure,” but goes on to note that such leaks could be exploited for malicious purposes.

Why it matters

The leaked data could include some sensitive information about the infrastructure and network configuration of Microsoft’s customers and potential customers. Hackers looking for vulnerabilities in any one of the affected organization’s infrastructures would possibly find this data valuable and could use it to exploit their networks.

What you can do about it

Start by recognizing that CSPs have the potential to increase your organization’s attack surface. You should carefully review your Service Level Agreement (SLA) with your CSP to understand who is responsible for what and to clarify the responsibilities of each party. This is typically outlined in a Shared Responsibility Model, a security and compliance framework that breaks down the security responsibilities for every aspect of the cloud environment. This includes hardware, infrastructure, endpoints, data, configurations, settings, operating system, network controls, and access rights. In practice, both the CSP and customer play a role in ensuring security, but there are certain assets that one party has direct control and full responsibility over, as the other party would have no visibility to those assets. This shared security model is complex but offers the benefits of efficiency, enhanced protection, and expertise.

Security tasks and functions will vary depending on the cloud service delivery model: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS). While IaaS and PaaS environments provide customers with greater choice and flexibility, they also present greater security risks if not properly configured.

According to Cloud-Native: The Infrastructure-as-a-Service Adoption and Risk Report, 99% of IaaS misconfigurations go unnoticed. Security Service Edge (SSE) helps security professionals catch risky configurations before they become a threat in production. By highlighting security findings before they become security incidents, SSE can also help improve compliance with regulatory frameworks and reduce the likelihood of data loss, abuse, or fines associated with improper security controls.

Time will tell what will become of the BlueBleed leak. If you don’t want to risk being affected by such breaches, Skyhigh’s Security Service Edge technology can help. Its unique data-aware CSPM capabilities allow customers to detect misconfigurations and help to point out those critical areas in the Public Cloud infrastructure containing sensitive data that are most vulnerable to data leaks.