Organizations of all sizes and industries are increasingly adopting cloud native approaches. The benefits to the business are enormous, but at the same time, the transition introduces new threats and a wider attack surface. New research from Aqua Security reveals that organizations struggle to keep pace and to detect and secure the ever-growing attack surface.
In fact, findings from Aqua's 2021 Cloud Security Report: Cloud Configuration Risks Exposed, showed that 90% of companies surveyed are vulnerable to security breaches due to cloud misconfigurations.
When considering the factors that facilitate this trend, we should remember that cloud native is about componentizing the application. Instead of one monolith that is complex to maintain, a typical cloud application will have many smaller components, interacting with each other. This is great for innovation and development velocity, but it comes with a price of a new and wider attack surface.
Furthermore, Cloud Service Providers, such as Amazon, Microsoft, Google and others, are innovating at cloud speed. Which means that new and updated services are introduced on a weekly basis. To keep up with the security implications of these changes, it requires a dedicated team of experts that must constantly learn and evolve in order to keep ahead of the threats.
And finally, the introduction of shift-left approaches, where developers have end-to-end responsibility for their apps and components, also means that traditional checkpoints and reviews by a centralized team of security experts are not always possible for all changes in a continuous delivery model.
These factors may introduce critical configuration issues, and unfortunately they are not easy to detect or respond to efficiently. This is especially true at larger enterprises – our data showed they take an average of 88 days to address issues after discovery.
Over 12 months, Aqua's research team analyzed anonymized cloud infrastructure data from hundreds of organizations. Users were divided into two groups based on the volume of cloud resources they scanned: SMB (small and midsize business) who scanned between one and several hundred resources, and enterprise users who scanned from several hundred up to a few hundred thousand distinct resources. In our research, we sought to understand both the scale of vulnerabilities as well as how organizations cope with key issues: storage bucket and blob misconfigurations, IAM misconfigurations, data encryption issues, exploitable services behind open ports and container technology exploitation.
Our findings align with other industry reports such as Verizon's 2020 Data Breach Investigations Report showing that cloud misconfiguration errors had increased from 10% in 2017 to 40% in 2019.
A survey by global market intelligence firm IDC also showed that almost 80% of respondents had at least one cloud security breach over the preceding 18 months.
In addition, 67% of the participants noted that their main IaaS and PaaS security concerns were misconfigurations.
We found, for instance, that in a one-year period 82.4% of all organizations had at least one storage resource (e.g., AWS S3 bucket) publicly open to all inbound traffic. When considering that opening a storage resource to the world can be an integral functionality of the basic design of the application, this is not a disturbing finding by itself. But 73.3% of all cases were closed after receiving an alert. It took organizations on average 2.5 months to close these storage resources. When realizing that these storage resources shouldn't have been open, this finding looks alarming.
Read here how a security researcher was able to find and access an S3 bucket open to the world.
Another troubling finding shows that 40.6% of organizations had at least one case of a misconfigured Docker API over a one-year period. Approximately 90% of these issues were fixed, but it took an average of two months to do so.
Another research finding by Team Nautilus also showed that attackers are now using large botnets to scan the internet, looking exactly for this misconfiguration. When finding a vulnerable host, they run malicious container images that run cryptominers, steal credentials and leave backdoors. The adversaries often infect the host with a worm that keeps spreading this attack. Research showed that it takes five hours on average to find new vulnerable hosts making two months an eternity compared to the time it takes attackers to detect the host and launch an attack.
We recommend finding a solution that goes beyond host-based security tools. This requires a Cloud Security Posture Management (CSPM) solution that operates at the cloud provider control plane level, something that can leverage APIs from the underlying public cloud vendor. This is important because it provides needed visibility into the configuration of the cloud services.
Also, automated capabilities are key to validate hundreds of settings across regions and accounts and can help to:
■ Identify misconfigured storage blobs and buckets that are exposed publicly
■ Find compute and database resources with unintended public access settings
■ Ensure the encryption in transit and at rest across cloud services
■ Enforce user policy definitions to ensure least-privileged access to resources
■ Detect changes to critical resources such as firewall rules, logging groups, or account settings
■ Catch activity in unused or unexpected cloud provider regions or locations
Whether an organization adopts a single or multi-cloud environment, it must be proactive in monitoring for and fixing service configuration issues that can unnecessarily expose it to threats which will inevitably result in damage that can be much greater than the traditional OS or on-premises workloads.