security

Most cloud resources drift from secure configuration baseline after deployment – Channel Asia Singapore


Credit: Dreamstime

Many organisations are automating their cloud infrastructure deployments through code. This allows them to establish a secure configuration baseline early in their DevOps lifecycle, but the security posture of most cloud resources later drifts due to undocumented changes that often remain undetected.

A new study from cloud security company Accurics found that in as many as 90 per cent of cases the configuration of cloud resources was modified by privileged users after deployment.

While many of those changes might have legitimate business reasons, others might be the result of malicious lateral movement activities following compromises. Insecure configurations are the top cause of data breaches involving cloud resources and cloud-hosted data. If they’re not detected and left unaddressed, they can be an easy entry point for attackers.

Infrastructure as code and a false sense of security

According to Accurics, almost a quarter of all configuration changes in cloud environments are now made via code. This is part of a DevOps process known as infrastructure as code (IaC) or continuous configuration automation (CCA) that has seen increased adoption over the past few years.

Most cloud services providers allow customers to provision new resources or cloud instances via machine-readable definition files, or templates, and third-party tools are available that work with multiple clouds.

The data in Accurics’ report comes from customer surveys, CISOs and design partners combined with open-source research and the company’s own telemetry from analysing hundreds of thousands of cloud resources deployed in real-world environments.

When implemented correctly, IaC templates can strengthen security, because they reduce the possibility of human errors that often occur with manual deployments, especially when many settings are involved. They can be part of the process of shifting security to the left and integrating it earlier in the DevOps pipeline.

However, to get those benefits, organisations must ensure that their IaC templates result in cloud resource configurations that follow best practices and comply with various standards. Unfortunately, that’s not always the case.

An analysis by security firm Palo Alto Networks of IaC templates collected from GitHub repositories and other places identified almost 200,000 such files that contained insecure configuration options. Some of the common issues identified included:

  • The absence of encryption and logging for data storage
  • Services like SSH and RDP directly exposed to the internet
  • Credentials that didn’t meet industry minimum standards
  • Containers without CPU or memory resource limiting
  • Cloud storage without secure storage enabled

Accurics found that 67 per cent of the configuration mistakes detected in environments were high-severity risks and included things like open security groups, overly permissive identity and access management (IAM) roles, and exposed cloud storage services.

Over 40 per cent of resources did not meet all the Centre for Internet Security (CIS) critical security controls, 18 per cent did not meet PCI-DSS requirements, 19 per cent were in violation of SOC 2 standards, and 10 per cent of did not meet HIPAA requirements.

“I think that 24 per cent of configurations being made through code is good,” Sachin Aggarwal, co-founder and CEO of Accurics, tells CSO. “What is not good is that most of this code gets provisioned into the actual running environment without any initial security risk assessment.

“That creates a problem because now you did start on a good journey of creating your DevOps pipeline and getting your infrastructure-as-code in early. Basically, you’re designing your cloud with good intent, but then you’re not doing any security assessment early on in the process where you do have an opportunity to implement and embed security into your code.”





READ SOURCE

READ  86% of Australia's top websites can't detect bot attacks: Research - ZDNet

Leave a Reply