DevOps needs to morph into DevSecOps to close security threats in the cloud

Oracle and KMPG threat report finds that over-privileged accounts and poorly protected cloud secrets are the biggest security risks.

Gartner IT Symposium/Xpo 2019: IBM is overcoming security and regulatory concerns with public cloud
101:06:40

Everyone is having trouble keeping cloud deployments secure, according to a new report from Oracle and KPMG. The "Threat Report 2020: Addressing Security Configurations Amidst a State of Constant Change" found that 92% of IT professionals do not think their organization is well prepared to secure public cloud services.

Two of the biggest security risks are admin accounts with too many privileges and poor management of cloud secrets, like keys, account credentials, and passwords.

The report also found that:

  • Cybersecurity teams are playing catch-up.
  • The basics of cloud security are still not understood.  
  • Misconfigured cloud services are prevalent, problematic, and the top cloud security priority.  
  • Retooling for the cloud starts with people and process. 
  • Many are betting on machine learning as a foundational cybersecurity technology. 

Here is a review of the problems with over-privileged accounts and advice on how implementing a DevSecOps approach to software development can close up security holes in cloud deployments. 

Restricting privileges to boost security

A key takeaway of this year's cloud threat report is privileged cloud credentials are the new entry point for bad actors. The Oracle/KPMG report found that 59% of respondents shared that team members with privileged cloud accounts have had those credentials compromised by a spear-phishing attack.

SEE: Google Cloud Platform: An insider's guide (free PDF) 

The report recommends implementing least-privilege access policies, especially in the multi-cloud environment. This is not easy due to the challenges of an abstracted environment that has "a matrix of many-to-many relationships between users, accounts, and clouds arguably complicates implementing least privilege, as evidenced by our research findings."

At the same time, the survey found that over-privileged accounts are the top misconfigured cloud service with 37% of respondents selecting this issue as the biggest problem. This list also includes:

  • Exposed web servers and other types of server workloads                                 35%  
  • Object store-resident data not appropriately secured via access control lists     34%  
  • The lack of multi-factor authentication                                                                    33%  
  • Disabled logging for capturing an audit trail of cloud activity                                31%

The most commonly cited misconfigured cloud service, over-privileged accounts, is directly related to unprotected cloud secrets, another significant cloud threat identified by the report.

These privileged cloud credentials are in demand by attackers, given the high percentage of organizations that reported spear-phishing attacks designed to steal these credentials. Stolen privileged cloud credentials can be used to gain access to additional cloud secrets and, from there, many other services including data stores such as databases and object stores.
Respondents noted that secrets have been discovered in unprotected locations such as:

  • Stored on servers                                       59%
  • In our source code library                           55%
  • Stored in a public cloud object stores        54%
  • In HTML code                                              31%

The report authors stated that this problem--storing cloud secrets in clear text in unprotected locations--is a byproduct of competing objectives: Dev teams are moving fast and not thinking about where they are placing secrets. Implementing least-privilege policies and using a hardware storage model or a key vault can solve that problem.

Improving security requires a cultural shift

To reduce the security threats in cloud deployments, security must become a business requirement and a shared responsibility instead of an afterthought, according to the report. Adopting a DevOps approach to software development is part of this transition. The report found that DevOps is no longer a methodology employed only by cloud-native companies. Survey respondents reported that DevOps is being broadly adopted across the board, with only 6% stating they have no plans to employ this method. DevOps is becoming mainstream, "with nearly one-third of respondents already employing DevOps, almost another quarter planning to do so in the next 12-24 months, and another one-third interested in doing so."

The next phase of this evolution is integrating security into daily DevOps work. Companies are not as far along with this change as just over one-third of respondents said that their organization has already integrated security into their DevOps processes. 

The report authors suggest that many companies are missing an opportunity to establish a culture of security from the design phase. 

To build a secure DevOps program that automates cybersecurity processes and controls via integration with the continuous integration and continuous delivery (CI/CD) toolchain, organizations must shift security left into dev-time and build-time. These tools and practices support that transition:  

  • Software development lifecycle (SDLC) tools, including interactive development environments (IDEs).
  • Source code management (SCM) repositories
  • Automated build tools 
  • Agile project management systems
  • Collaborative messaging platforms

Forty-six percent of survey respondents said that the most important reason to use a DevSecOps approach was to back security into every stage of the continuous delivery tool chain. Collaboration and efficiency were the next most important factors with compliance coming in next.

This year's report is the first in a five-part series, with follow-on reports offering insights into research findings on central cloud security topics, including:

  • Demystifying the cloud security shared responsibility model
  • The business impact of the modern data breach
  • Addressing cyber-risk and fraud in the cloud
  • The mission of the cloud-centric CIS

Survey methodology

The data presented in this report was collected through an online survey conducted by Enterprise Strategy Group of 750 cybersecurity and IT professionals from private- and public-sector organizations in North America (US and Canada), Western Europe (UK and France), and Asia-Pacific (Australia, Japan, and Singapore) between Dec. 16, 2019, and Jan. 16, 2020. To qualify for this survey, respondents had to be responsible for evaluating, purchasing, and managing cybersecurity technology products and services and to have a high level of familiarity with their organization's public cloud utilization. All respondents were provided an incentive to complete the survey.

Also see

kmpg-oracle-cloud-threat-report-2020.jpg

Two of the biggest cloud security risks are admin accounts with too many privileges and poor management of cloud secrets, like keys, account credentials, and passwords, according to the Oracle KPMG Cloud Threat Report 2020.

Image: Oracle KPMG Cloud Threat Report 2020