Report Unveils Common but Dangerous Breach Paths in Cloud Deployments
August 13, 2020

Cloud breaches will likely increase in velocity and scale, according to the Summer 2020 edition of the Accurics State of DevSecOps report.

"While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fueling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organizations," said Accurics Co-founder & CTO, Om Moolchandani. "As cloud infrastructure becomes increasingly programmable, we believe that the most effective defense is to codify security into development pipelines and enforce it throughout the lifecycle of the infrastructure. The receptiveness of the developer community toward assuming more security responsibility has been encouraging and a step in the right direction."

The report also reveals:

■ Misconfigured cloud storage services are commonplace in a stunning 93% of the cloud deployments analyzed, and most also have at least one network exposure where a security group is left wide open. These issues will likely increase in both velocity and scale — and they've already contributed to more than 200 breaches over the past two years.

■ One emerging problem area is that despite the broad availability of key management, hardcoded private keys turned up in 72% of the deployments analyzed. Specifically, unprotected credentials stored in container configuration files were found in half of these deployments, which is an issue given that 84% of organizations use containers.

■ Going one level deeper, 41% of the organizations had high privileges associated with the hardcoded keys and were used to provision compute resources; any breach involving these would expose all associated resources. Hardcoded keys have contributed to a number of cloud breaches.

■ Network exposures resulting from misconfigured routing rules posed the greatest risk to all organizations. In 100% of deployments, an altered routing rule exposed a private subnet containing sensitive resources, such as databases, to the Internet.

■ Automated detection of risks paired with a manual approach to resolution is creating alert fatigue, and only 6% of issues are being addressed. An emerging practice known as Remediation as Code, in which the code to resolve the issue is automatically generated, is enabling organizations to address 80% of risks.

The solution to these issues is managing risk early in the development lifecycle.

Implementation of best practices such as encrypting databases, rotating access keys, and implementing multi-factor authentication ensures enhanced hygiene.

Automated threat modeling is also needed to determine whether changes such as privilege increases, and route changes introduce breach paths in a cloud deployment.

As organizations embrace Infrastructure as Code (IaC) to define and manage cloud-native infrastructure, codifying security into development pipelines becomes possible and can significantly reduce the attack surface before cloud infrastructure is provisioned.

Share this

Industry News

January 27, 2021

Indigo.Design announced the public preview of Indigo.Design App Builder.

January 27, 2021

ARMO announced its launch out of stealth having secured $4.5 million in seed funding from Pitango First.

January 27, 2021

CloudSphere announced the appointment of Jane Gilson as the company’s CEO successor to Patrick McNally.

January 26, 2021

JFrog announced an agreement with Docker.

January 26, 2021

SUSE released Longhorn 1.1.

January 26, 2021

HAProxy released HAProxy Kubernetes Ingress Controller 1.5.

January 25, 2021

Progress announced the new release of Progress Kendo UI, a complete collection of JavaScript UI components.

January 25, 2021

CloudNatix announced the close of a $4.5M Seed round financing led by DNX Ventures, with the participation from a new investor Cota Capital and existing investors: Incubate Fund, Vela Partners and 468 Capital.

January 25, 2021

Quali announced $54 million in new funding, co-led by Greenfield Partners and JVP.

January 21, 2021

Platform9 released Platform9 Release 5.0, with a number of new features to provide operational efficiencies for its freedom, growth, and enterprise managed Kubernetes products.

January 21, 2021

Infragistics announced the release of Infragistics Ultimate 20.2, a complete UX and UI solution for  design and development teams  which is fully compatible with .NET 5, Microsoft’s latest  release of .NET development platform.

January 21, 2021

Couchbase Cloud is now available on Microsoft Azure.

January 20, 2021

Hitachi Vantara announced the availability of Hitachi Kubernetes Service, enabling customers to consistently and securely deploy, manage, monitor, and govern Kubernetes clusters across major cloud providers and on premises.

January 20, 2021

Internal announced the launch of an enterprise-ready app development platform for internal tools.

January 20, 2021

StackPulse announced a $20 million Series A led by GGV Capital.