For the most part, banks were standing safely on the sidelines last week when Microsoft delivered security vulnerability notices to its Azure cloud computing clients.
The Redmond, Washington, company warned of separate security vulnerabilities related to an Azure database and the Power Apps portal, both discovered by security researchers the past few months and reportedly fixed before any data could be stolen.
In the case of Azure, researchers discovered easy access to keys that opened databases. The PowerApps portal was allowing anyone working on an app to potentially access databases other than their own.
No financial services firms were directly affected by exposure to these infrastructure flaws. Those listed as Azure customers on the Microsoft website, most notably Liberty Mutual and the financial tech provider Finastra, declined to comment.
London-based Metro Bank is listed as a Power Apps client, but it cited bank policy in not speaking publicly about security incidents or actual breaches. Metro Bank has about $31 billion of assets.
"At Metro Bank, we continuously scan our systems for potential vulnerabilities in order to respond as fast as possible to reports of newly discovered issues," a bank spokesman said.
Still, the notices provided another not-so-subtle warning to banks about cloud configurations that could be exploited to gain access to seemingly protected databases.
Because banks continue to transition parts of legacy systems to cloud-based services, they increasingly operate or integrate with the top cloud providers, mainly Amazon Web Services, Microsoft Azure and Google Cloud.
"With many firms using the same suppliers, the financial sector faces an additional challenge of concentration risk," said Teresa Walsh, global head of intelligence for the Financial Services Information Sharing and Analysis Center, a cyber risk prevention industry consortium in Reston, Virginia.
Walsh sees the need for thorough network oversight and an understanding of how the cloud companies monitor their systems.
"Financial firms are actively investing in strengthening both third-party due diligence and operational resiliency," Walsh said. Such attention affords the ability to stay in operation "even in the face of a cybersecurity incident such as one stemming from a supply chain attack," she said.
Financial institutions have to establish a zero-trust mindset, create a process for managing third-party risk and deploy risk-monitoring services to assess risks from vendors, Walsh added. A zero-trust mindset is one in which all users, inside and outside an organization’s network, are authenticated, authorized, and continuously validated before being granted or allowed to maintain access to applications and data.
Microsoft’s security warnings
Citing a flaw in its Azure central database Cosmos, Microsoft informed thousands of its clients that access keys to their databases stored on Azure had been left in the open for the past two years.
A research team at security company Wiz that was conducting a check of the system for Microsoft discovered the key-access vulnerability. Microsoft sent out a security alert that encouraged Azure clients’ tech teams to create new keys. As another security layer, Microsoft says only clients can change their own keys.
Microsoft’s other security notice was directed at the government entities and private companies using Microsoft Power Apps, an Azure-based service in which developers can easily build professional applications.
An analyst at the security firm UpGuard found a faulty data application programming interface that led to more than 1,000 apps in the Power Apps portal being susceptible to anyone who would request access to data and personal records.
In both cases, security researchers worked with Microsoft under its vulnerability disclosure program.
Microsoft assured its customers it reacted quickly to both vulnerabilities — the access to keys in Azure and the misconfigured API in Power Apps — that allow unauthorized users into secured databases.
"We fixed this issue immediately to keep our customers safe and protected," a Microsoft spokesman said.
Microsoft also reiterated it did not find any evidence the security gap was "exploited by malicious actors."
Where banks should be wary
Microsoft said it is working with Power Apps customers to ensure they are using the right privacy settings.
The primary portal designer Microsoft provides for developers of Power Apps, Design Studio, comes with strong privacy default settings, the company said.
It's not likely the Cosmos and Power Apps security gaps would come into play often at the same time.
"While it's possible to hook Cosmos database up to Power Apps, that's a design choice rather than some inherent part of Power Apps," Nigel Thorpe, technical director at SecureAge Technology, a data protection provider in Singapore. "The important thing is to avoid using any default security settings without understanding what the implications are."
The problem with Power Apps, Thorpe said, is that it is designed so that it can be used by newbie or inexperienced developers “who are less likely to understand the implications of default settings."
For banks, this is the most recent reminder of the risks of storing data in the cloud. Federal banking regulators last May warned about
That regulatory notice came on the heels of a
This time, the Microsoft alerts did not involve breaches.
"This is embarrassing for Microsoft, but not an issue, though this could trigger data breach disclosures for some Cosmos customers and Power Apps customers," said Tari Schreider, senior analyst with the cybersecurity practice at Aite-Novarica Group. "All in all, these were near misses."
Schreider confirmed there appears to be no impact on financial institutions based on the types of customers potentially affected. Still, she said tech providers, security firms and financial institutions all have to take into account that "misconfigurations in cloud infrastructure are a huge problem."
Security flaws of this nature have led to data breaches in the past, such as the
"It's as if the back door was open and no one came in," Schreider said. "And now the door is closed."
