Cloud Misconfigurations Pose Serious Security Risk to Businesses
June 15, 2021

Assaf Morag
Aqua Security

Organizations of all sizes and industries are increasingly adopting cloud native approaches. The benefits to the business are enormous, but at the same time, the transition introduces new threats and a wider attack surface. New research from Aqua Security reveals that organizations struggle to keep pace and to detect and secure the ever-growing attack surface.

In fact, findings from Aqua's 2021 Cloud Security Report: Cloud Configuration Risks Exposed, showed that 90% of companies surveyed are vulnerable to security breaches due to cloud misconfigurations.

When considering the factors that facilitate this trend, we should remember that cloud native is about componentizing the application. Instead of one monolith that is complex to maintain, a typical cloud application will have many smaller components, interacting with each other. This is great for innovation and development velocity, but it comes with a price of a new and wider attack surface.

Furthermore, Cloud Service Providers, such as Amazon, Microsoft, Google and others, are innovating at cloud speed. Which means that new and updated services are introduced on a weekly basis. To keep up with the security implications of these changes, it requires a dedicated team of experts that must constantly learn and evolve in order to keep ahead of the threats.

And finally, the introduction of shift-left approaches, where developers have end-to-end responsibility for their apps and components, also means that traditional checkpoints and reviews by a centralized team of security experts are not always possible for all changes in a continuous delivery model.

These factors may introduce critical configuration issues, and unfortunately they are not easy to detect or respond to efficiently. This is especially true at larger enterprises – our data showed they take an average of 88 days to address issues after discovery.

Over 12 months, Aqua's research team analyzed anonymized cloud infrastructure data from hundreds of organizations. Users were divided into two groups based on the volume of cloud resources they scanned: SMB (small and midsize business) who scanned between one and several hundred resources, and enterprise users who scanned from several hundred up to a few hundred thousand distinct resources. In our research, we sought to understand both the scale of vulnerabilities as well as how organizations cope with key issues: storage bucket and blob misconfigurations, IAM misconfigurations, data encryption issues, exploitable services behind open ports and container technology exploitation.

Our findings align with other industry reports such as Verizon's 2020 Data Breach Investigations Report showing that cloud misconfiguration errors had increased from 10% in 2017 to 40% in 2019.

A survey by global market intelligence firm IDC also showed that almost 80% of respondents had at least one cloud security breach over the preceding 18 months.

In addition, 67% of the participants noted that their main IaaS and PaaS security concerns were misconfigurations.

We found, for instance, that in a one-year period 82.4% of all organizations had at least one storage resource (e.g., AWS S3 bucket) publicly open to all inbound traffic. When considering that opening a storage resource to the world can be an integral functionality of the basic design of the application, this is not a disturbing finding by itself. But 73.3% of all cases were closed after receiving an alert. It took organizations on average 2.5 months to close these storage resources. When realizing that these storage resources shouldn't have been open, this finding looks alarming.

Read here how a security researcher was able to find and access an S3 bucket open to the world.

Another troubling finding shows that 40.6% of organizations had at least one case of a misconfigured Docker API over a one-year period. Approximately 90% of these issues were fixed, but it took an average of two months to do so.

Another research finding by Team Nautilus also showed that attackers are now using large botnets to scan the internet, looking exactly for this misconfiguration. When finding a vulnerable host, they run malicious container images that run cryptominers, steal credentials and leave backdoors. The adversaries often infect the host with a worm that keeps spreading this attack. Research showed that it takes five hours on average to find new vulnerable hosts making two months an eternity compared to the time it takes attackers to detect the host and launch an attack.

We recommend finding a solution that goes beyond host-based security tools. This requires a Cloud Security Posture Management (CSPM) solution that operates at the cloud provider control plane level, something that can leverage APIs from the underlying public cloud vendor. This is important because it provides needed visibility into the configuration of the cloud services.

Also, automated capabilities are key to validate hundreds of settings across regions and accounts and can help to:

■ Identify misconfigured storage blobs and buckets that are exposed publicly

■ Find compute and database resources with unintended public access settings

■ Ensure the encryption in transit and at rest across cloud services

■ Enforce user policy definitions to ensure least-privileged access to resources

■ Detect changes to critical resources such as firewall rules, logging groups, or account settings

■ Catch activity in unused or unexpected cloud provider regions or locations

Whether an organization adopts a single or multi-cloud environment, it must be proactive in monitoring for and fixing service configuration issues that can unnecessarily expose it to threats which will inevitably result in damage that can be much greater than the traditional OS or on-premises workloads.

Assaf Morag is a Lead Data Analyst at Aqua Security
Share this

Industry News

December 06, 2022

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Argo, which will join other graduated projects such as Kubernetes, Prometheus, and Envoy.

December 06, 2022

Wib announced API PenTesting-as-a-Service (PTaaS) designed to help organizations proactively cover the latest PCI-DSS 4.0 mandates for testing application security, APIs, and vulnerabilities in Business Logic.

December 05, 2022

Harness announced Harness Cluster Orchestrator to allow customers to optimize their Kubernetes cloud workload costs and realize up to 90% cloud cost savings with Amazon Elastic Compute Cloud (Amazon EC2) Spot instances from Amazon Web Services (AWS).

December 01, 2022

Salesforce introduced a new Automation Everywhere Bundle to accelerate end-to-end workflow orchestration, automate across any system, and embed data and AI-driven workflows anywhere.

December 01, 2022

Weaveworks announced that Flux, the original GitOps project, has graduated in the Cloud Native Computing Foundation (CNCF®).

December 01, 2022

Tigera announced enhancements to its cluster mesh capabilities for managing multi-cluster environments with Calico.

December 01, 2022

CloudBees achieved the Amazon Web Service (AWS) Service Ready Program for Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances.

November 30, 2022

GitLab announced the limited availability of GitLab Dedicated, a new way to use GitLab - as a single-tenant software as a service (SaaS) solution.

November 30, 2022

Red Hat announced an expansion of its open solutions publicly available in AWS Marketplace.

November 30, 2022

Sisense announced the availability of the Sisense CI/CD Git integration module.

November 29, 2022

Codenotary announced TrueSBOM for Serverless, a self-updating Software Bill of Materials (SBOM) for applications running on AWS Lamda, Google Cloud Functions and Microsoft Azure Functions that is made possible by simply adding one line to the application source code.

November 29, 2022

Code Intelligence announced its open-source Command-Line Interface (CLI) tool, CI Fuzz CLI, now allows Java developers to easily incorporate fuzz testing into their existing JUnit setup in order to find functional bugs and security vulnerabilities at scale.

November 29, 2022

Parasoft announced the 2022.2 release of Parasoft C/C++test with support for MISRA C:2012 Amendment 3 and a draft version of MISRA C++ 202x.

November 28, 2022

Kasm Technologies announced the release of Kasm Workspaces v1.12, providing major enhancements to its portfolio of digital workspaces delivering Desktop as a Service (DaaS), Virtualized Desktop Infrastructure (VDI), Remote Browser Isolation (RBI), Open-Source Intelligence Collection (OSINT), Training/Sandboxes, and Containerized Application Streaming (CAS).

November 28, 2022

Cloud4C has achieved Amazon Web Services (AWS) DevOps Competency status.