Accurics reports that poorly configured clouds by managed service providers account for nearly a quarter of cloud security violations, exposing sensitive development pipelines to the outside world over the internet. The California-based company has a few recommendations for organizations on reducing cloud security risks and ensuring compliance.
A report from cloud security company Accurics has highlighted the necessity of a shift-left approach to securing cloud environments. The company warns how risks identified in cloud environments leveraged by organizations can expose them to wide-scale attacks such as the SolarWinds hack last year and how instilling security within DevOps can help alleviate such risks.
Accurics’ Cloud Cyber Resilience Report identified several security violations within cloud environments, nearly a quarter (22.5%) of which were caused by poor configurations of managed services offerings. Most of these violations exist because organizations fail to restrict or update default security profiles and configurations, thereby enabling threat actors to obtain excessive permissions to cloud resources.
Jon JarboeOpens a new window , a developer advocate at Accurics, saidOpens a new window , “Default configurations for managed services are often designed to make it easier for developers to get started with a service — meaning that they favor more permissive, rather than more restrictive, access. By using these defaults in normal use, organizations are making it easier for attackers to discover their services, read their data, and potentially modify things.â€
A majority of violations exist in cloud infrastructure managed by cloud service providers (CSPs) for CI/CD services (Azure DevOps, AWS CodePipeline, etc.), messaging services (AWS SNS, Azure Service Bus, etc.), and FaaS (Google Cloud Functions, AWS Lambda, Azure Functions, etc.). It is noteworthy that 10% of organizations pay for advanced security capabilities that are never enabled.
“Cloud native apps and services are more vital than ever before, and any risk in the infrastructure has critical implications. Our research indicates that teams are rapidly adopting managed services, which certainly increase productivity and maintain development velocity,†said Accurics co-founder, CTO & CISO Om MoolchandaniOpens a new window .
“However, these teams unfortunately aren’t keeping up with the associated risks – we see a reliance on using default security profiles and configurations, along with excessive permissions. Messaging services and FaaS (Function as a Service) are also entering a perilous phase of adoption, just as storage buckets experienced a few years ago. If history is any guide, we’ll start seeing more breaches through insecure configurations around these services.â€
On the other hand, repositories and packages of Bitnami, HashiCorp, Jenkins, Harbor, AWS on Kubernetes, an open-source container-orchestration platform, have significantly fewer violations. Almost half of these violations (47.9%) are due to insecure defaults, 26% due to insecure secrets management, 17.8% due to poor resource management, and 8.2% due to misconfigured containers.
What’s more, the average time to remediate (MTTR) identified policy violations is an alarming 25 days. According to Accurics, the difference between the MTTR of production and pre-production cloud environments is also significantly high at five days and 51 days, respectively.
See Also: Why DevSecOps Is More Than a Technology Stack
Findings
- 35% of organizations with Kubernetes infrastructure often fail to define roles at the proper granularity and end up with fewer roles with too many permissions, representing a failed role-based access controls (RBAC) implementation.
- Over 35% of Identity and Access Management (IAM) drifts detected in Accurics’ report are rooted in Infrastructure as Code (IaC). Since this has been observed for the first time in production environments, it indicates IAM as Code is seeing rapid adoption.
- Despite averaging at 25 days, the longest recorded MTTR for violation is an astounding 149 days, which pertains to application load balancing (ALB) and elastic load balancing (ELB). Since all user-facing data goes through these resources, organizations should fix them the fastest, not the slowest. The longest MTTR for drifts was 21 days.
- While the average time to fix infrastructure misconfigurations was about 25 days, the most critical portions of the infrastructure often take the most time to fix – for example, load-balancing services take an average of 149 days to remedy. Since all user-facing data flows through these resources, they should ideally be fixed the fastest, not the slowest.
Access policy violation, a high MTTR, and other reporting findings can only mean one thing: exposure of the entire or partial production environments, development process, and data on the internet. The software supply-chain attack against SolarWinds and its clients is the most prominent example of such an attack in recent times, although it remains unclear whether the incident involved a cloud breach.
Attackers should be assumed to always be on the prowl, striving to find which sites are often frequented by developers, and then exploit any weakness whatsoever that allows them to infiltrate networks and systems to steal data, install malware, etc. To mitigate such attacks – called watering hole attacks – organizations need to adopt a shift-left approach to application development, making security implementation a part of the development process.
Recommendations
Besides adopting a security by default approach to application development on the cloud, Accurics recommends organizations to do the following:
- Improve communication between Dev, Sec, and Ops teams.
- Prioritize audits of the runtime environment for lax policies around resource accessibility.
- Maintain good data hygiene between production and pre-production environments.
- Leverage IaC for improved repeatability, consistency, and speed of provisioning processes.Â
- Integrate Policy as Code tools within the development process to automate enforcement of security policy in development pipelines.
- Drift as Code (DaC) capabilities can help to ensure IaC is synchronized with the runtime configuration.
- Remediation as Code (RaC), complete with developer supervised review and approval, could reduce the MTTR.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!