News Hub

New report claims 93% of cloud storage services misconfigured

Written by Wed 5 Aug 2020

72 percent of cloud-native deployments contain hardcoded private keys

Cloud-native misconfigurations are rampant and rising bad practices risk exposing cloud resources even further, California-based security vendor Accurics has claimed.

According to the company’s latest cloud security report, Summer 2020: State of DevSecOps, unless emerging cloud-native security challenges are not plugged, breaches will “increase in velocity in scale”.

“While the adoption of cloud-native infrastructure such as containers, serverless, and servicemesh is fueling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organizations,” said Accurics Co-founder & CTO, Om Moolchandani.

A common blindspot is misconfigured cloud storage services, which Accurics identified in 93 percent of cloud deployments analysed.

In addition, most deployments also had at least one network exposure where a security group was left exposed. Accurics said these two practices were responsible for more than 200 breaches that have taken place over the past two years.

While these two misconfigurations are relatively common and well-documented in the cloud sector, Accurics said a rising trend in poor credential management was leaving sensitive cloud resources even more exposed.

Even though tools like HashiCorp and AWS Key Management Service (KMS) enable cloud staff to store private keys securely, Accurics found hardcoded private keys in 72 percent of deployments. 41 percent were hardcoded keys with elevated privileges.

One in two deployments had stored unprotected credentials in container configuration files. According to CNCF, 84 percent of organisations use containers, painting a pretty damning picture of the state of cloud-native security.

Cloud teams are also increasingly guilty of forgetting about unused resources, which then often escape detection during security checks. 89 percent have “overly permissive” Identity Access Management (IAM) policies which could expose downstream resources to infiltration, Accurics said.

Accurics said organisations need to move away from using security controls in runtime to detect exposures and work to detect policy violations earlier in the development lifecycle, by using Infrastructure as Code’s capabilities to codify policy checks into development pipelines.

“Cloud-native infrastructure should be assessed for risk and issues should be mitigated before it is provisioned to ensure a secure initial posture,” reads the report.

The company claimed the attackers that breached CenturyLink, Imperva and Capital One exploited a combination of these misconfigurations, adding the attacks could have been averted with “Policy as Code” implementations that ensured databases were encrypted, access keys rotated, and multi-factor authentication implemented.

“Automated threat modelling is also necessary to determine if changes such as privilege increases and route changes create breach paths in a cloud deployment,” Accurics said, adding that infrastructure should be automatically monitored for changes and code applied that automatically overrides detected misconfigurations.

Written by Wed 5 Aug 2020


cloud-native report
Send us a correction Send us a news tip