Misconfigured cloud storage services are common in the vast majority of cloud deployments, with the issue expected to exacerbate, according to new analysis.
The finding comes from security provider Accurics, whose latest State of DevSecOps Report found that misconfigurations were found in 93% of cloud deployments analysed, with the majority having at least one network exposure where a security group was left wide open.
Most worrying is that many emerging misconfigurations are simple. The report bemoaned that the past few months had seen ‘the usual slew of cloud data breaches’ observed, such as the compromise of storage services leading to 845 GB of personal information from eight popular dating apps being exposed.
Other emerging problem areas are becoming apparent. In spite of the broad availability of tools such as HashiCorp Vault and AWS Key Management Service, hardcoded private keys appeared in almost three quarters (72%) of deployments analysed. Unprotected credentials stored in container configuration files were found in half of these deployments.
“Organisations are leveraging a variety of security capabilities built into cloud platforms as well as implementing a number of third party cloud security tools,” the report noted. “However, most security controls are implemented in runtime to detect exposures.
“The only way to reduce such exposures is to detect and resolve policy violations earlier in the development lifecycle and ensure that cloud-native infrastructure is provisioned securely to begin with,” the report added.
The report advocates the codifying of policy checks, called Policy as Code, into development pipelines, as organisations move towards Infrastructure as Code (IaC). Policy as Code ‘should be implemented to ensure that obvious best practices are employed such as encrypting databases, rotating access keys, and implementing multi-factor authentication,’ the report said. ‘However, automated threat modeling is also necessary to determine if changes such as provilege increases and route changes create breach paths in a cloud deployment.’
Another more emergent practice organisations should adopt is Remediation as Code, which is related to automation. Once a risk is detected, the code to fix the issue is automatically generated and sent to the developer, who needs to simply review and accept the change. Accurics said initial work here was ‘extremely encouraging’, with 80% of risks addressed without further input from the developer.
“While the adoption of cloud-native infrastructure such as containers, serverless, and servicemesh is fuelling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organisations,” said Om Moolchandani, co-founder and CTO of Accurics. “As cloud infrastructure becomes increasingly programmable, we believe that the most effective defence is to codify security into development pipelines and enforce it throughout the lifecycle of the infrastructure.
“The receptiveness of the developer community toward assuming more security responsibility has been encouraging and a step in the right direction,” Moolchandani added.
Writing for this publication earlier this month, regular contributor Louis Columbus advocated greater security practices baked in to DevOps initiatives. “DevOps and security teams need to leave one-time gating inspections in the past and pursue a more collaborative real-time framework to achieve their shared compliance, security and time-to-market goals,” he wrote.
“Traditional approaches to DevOps teams collaborating with security aren’t working today and product releases are falling behind or being rushed to market leading to security gaps as a result.”
You can read the Accurics report here (email required).
Photo by Matthew T Rader on Unsplash
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.
