With infrastructure as code (IaC), organizations try to automate the management of their data centers and hardware through coded scripts and software rather than through more manual processes. By using template-based scripts, IT professionals can more easily and quickly apply specific configuration settings and changes throughout their infrastructure.
But as currently used in the cloud, IaC can expose organizations to certain risks. In a report released Wednesday, Unit 42 describes the potential risks of IaC and offers advice on how to guard against them.
SEE: Cheat sheet: The most important cloud advances of the decade (free PDF) (TechRepublic)
In its Cloud Threat Report for Spring 2020, Unit 42, the global threat intelligence team at Palo Alto Networks, looked at how organizations use IaC and cloud-based environments to manage their infrastructure.
In one key finding, Unit 42 researchers discovered more than 200,000 IaC templates with high and medium severity vulnerabilities. Specifically, 42% of AWS CloudFormation templates, 22% of Terraform templates, and 9% of Google Kubernetes YAML files were found to be vulnerable. Without secure IaC templates from the start, cloud environments are ripe for attack.
Some 43% of cloud databases analyzed were not encrypted. Keeping data encrypted prevents attackers from reading the stored information. Encryption of data is also a requirement of many compliance standards such as PCI and HIPAA. The recent breaches of Vistaprint and MoviePass highlight the importance of using encrypted databases.
A full 60% of cloud storage services examined have logging disabled. When storage logging is disabled, malicious actors could enter the storage system without anyone knowing. Storage logging is critical when attempting to determine the scale of the damage in such cloud incidents as the U.S. Voter Records leak or the National Credit Federation data leak.
Organizations that operate in the cloud are being targeted by cybercrime groups, such as Rocke, 8220 Mining Group, and Pacha, according to Unit 42. These groups perform cryptomining operations, typically through public Monero (XMR) mining pools or their own own XMR mining pools.
Attackers are using default configuration mistakes created by weak or insecure IaC configuration templates to bypass firewalls, Security Groups, and VPC policies.
To better secure your IaC and cloud-based environment, Unit 42 offers the following recommendations:
- Get and maintain multicloud visibility. It’s difficult to secure what isn’t visible or known. Security teams need to take the lead in advocating for cloud native security platforms (CNSP), which give them visibility across public, private, and hybrid clouds. Organizations that are able to contextualize cloud logging capabilities, coupled with cloud asset inventory, have the capability to monitor who is accessing data and identify if that data was altered or even exfiltrated.
- Enforce standards. Cloud security requires strict enforcement of standards across public, private, and hybrid cloud environments. If your organization does not yet have a cloud security standard, check out the benchmarks created by the Center for Internet Security (CIS). Paper standards are a good start, but they need to be consistently enforced without having to create and maintain the tools that do it. IaC templates are a great way to consistently enforce these standards.
- Scan IaC templates on commit. IaC templates should always be scanned for insecurities before their use in cloud environments. Using tools like the Prisma Cloud IaC Scanner will help organizations better vet the quality of templates they use in their cloud environments.
- Shift left. Shift left security is about moving security to the earliest possible point in the development process. Organizations that consistently implement shift left practices and procedures within cloud deployments can quickly outpace competitors. Work with DevOps teams to get your security standards embedded in IaC templates.