itb-nz logo
Story image

Current security practices 'grossly inadequate' for protecting cloud infrastructures - report

Current security practices are grossly inadequate for protecting transient cloud infrastructures, according to new research from security specialists Accurics.

The Accurics State of DevSecOps says current poor security practices are why more than 30 billion records have been exposed through cloud breaches in just the past two years.

The report takes a deep analysis of current cloud security approaches and outlines best practices that organisations should consider as they reevaluate their approach to this critical discipline. 

"As cloud stacks become increasingly complex, with new technologies regularly added to the mix, what's needed is a holistic approach with consistent protection across the full cloud stack, as well as the ability to identify risks from configuration changes to deployed cloud infrastructure from a baseline established during development," says Accurics co-founder & chief executive Sachin Aggarwal.

"The shift to infrastructure as code enables this; organisations now have an opportunity to redesign their cloud security strategy and move away from a point solution approach," he says.

The Accurics report reveals that:
Misconfigurations of cloud native technologies across the full cloud native stack are increasing the attack surface, and being exploited by malicious actors.

There is a significant shift towards provisioning and managing cloud infrastructure through code. This offers an opportunity for organisations to embed security earlier in the DevOps lifecycle. However, infrastructure as code is not being adequately secured, thanks in part to the lack of tools that can provide holistic protection.

Even in scenarios where infrastructure as code actually is being governed, there are continuing problems from privileged users making changes directly to the cloud once infrastructure is provisioned. This creates posture drift from the secure baseline established through code.

Accurics' research shows that securing cloud infrastructure in production is not enough. Researchers determined that only 4% of issues reported in production are actually being addressed. 

"This is unsurprising since issue investigation and resolution at this late stage in the development lifecycle is challenging and costly," says Aggarwal.

 A positive trend identified by the research is that there is a significant shift towards provisioning and managing cloud infrastructure through code to achieve agility and reliability. Popular technologies include Terraform, Kubernetes, Docker, and OpenFaaS. Accurics research shows that 24% of configuration changes are made via code, which Aggarwal says is encouraging given the fact that many of these technologies are relatively new.

 "Infrastructure as code provides organisations with an opportunity to embed security earlier in the development lifecycle. However, research revealed that organisations are not ensuring basic security and compliance hygiene across code," explains Aggarwal.

"The dangers are undeniable: high severity risks such as open security groups, overly permissive IAM roles, and exposed cloud storage services constituted 67% of the issues. This is particularly worrisome since these types of risks have been at the core of numerous high-profile cloud breaches."

The study also shows that even if organisations implement policy guardrails and security assessments across infrastructure as code, 90% of organisations allow privileged users to make configuration changes directly to cloud infrastructure after it is deployed. 

"This unfortunately results in cloud posture drifting from the secure baseline established during development," he says.

Story image
How to defeat software sprawl with efficient document management tech
Software sprawl can happen when licenses for certain software are overlapped, often throughout departments within the same enterprise - meaning these companies can end up spending more money than they need to. More
Link image
It’s almost time for StorageCraft’s NZ October Technical Bootcamps
Whether you’re in Hamilton, Auckland, Christchurch of Wellington, StorageCraft’s technical bootcamps will take you through technical updates and deep dives into ShadowProtect, ShadowXafe, and OneXafe. These are not to be missed! More
Story image
Oracle empowers cloud database users with latest release
Oracle has released the new generation of Oracle Exadata Cloud Service, now based on the Exadata X8M platform. The new offering is available this month on Oracle Cloud Infrastructure. More
Link image
Cloud telephony 101: The business case to replace on-prem phone systems
A growing number of organisations are using Microsoft Teams for cloud telephony, fully replacing legacy on-premises phone systems. Here are the benefits.More
Story image
Verizon launches international private 5G platform
Delivered in partnership with Nokia, the offering will enable businesses to deploy a private industrial grade dedicated 5G network capability within their premises. More
Story image
Fusion5 expands professional services portfolio with acquisition of Mindfull
The deal, the terms of which were not disclosed, extends Fusion5’s portfolio of corporate performance management (CPM) solutions, as well as associated customers and resources.More