As adoption of managed infrastructure services increases, new cloud attack areas arrive with them. According to a new report from Accurics, 23% of all security violations identified relate to poorly configured manage service offerings.
The study, Accurics’ Cloud Cyber Resilience Report, assessed violations and drifts in real-world environments of Accurics users, as well as open source repositories and registries of infrastructure as code (IaC) components.
On average, the research found the mean time to remediate issues (MTTR) for violations is 25 days across all environments. Accurics described this as ‘a luxury’ for potential attackers. For drifts from established secure infrastructure postures, the MTTR is eight days on average.
This is an interesting point of differentiation and one which shows security must be persistently explored. Take the Twilio TaskRouter JS SDK security incident from July. In this instance, the Amazon Web Services (AWS) S3 bucket was configured correctly when added – as far back as 2015 – a configuration change made five months later altered it. This drift went undetected and unaddressed, until exploited last year.
“Protecting cloud infrastructure requires a fundamentally new approach that embeds security earlier in the development lifecycle and maintains a secure posture throughout,” Accurics noted. “The cloud infrastructure must be continuously monitored in runtime for configuration changes and assessed for risk.
“In situations where configuration change introduces a risk, the cloud infrastructure must be redeployed based on the secure basline,” the company added. “This will ensure that any risky changes made accidentally or maliciously are automatically overwritten.”
Accurics predicted that as cloud services mature and develop, security issues will continue alongside them. Messaging services and FaaS (function as a service) are in a ‘perilous phase of adoption’, according to Om Moolchandani, Accurics co-founder, CTO and CISO. “If history is a guide, we expect to start seeing more breaches due to insecure configurations around these services,” he added.
So who is beholden to these problems? Accurics argued it is a matter of education, convenience and communication – and ironing out problems across all sides of the business. Misconfigured storage buckets – 15.3% of violations analysed – and hardcoded secrets – almost 10% of violations – are evidently a dev responsibility. The report also noted requirements and policies are not being communicated directly between security, development and operations teams.
Of organisations tested, 10.3% had specifically paid for advanced security features from cloud service providers, but have no environments within which those features have been enabled or configured. Overall, using default settings and roles, as well as struggling to implement least-privilege environments, remain prevalent.
You can read the full study here (pdf, email required).
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.