A new analysis of security risks in cloud deployments found that companies are facing an increased risk of more advanced attacks and struggling to control managed infrastructure options. The Cloud Cyber Resilience Report from Accurics describes how insecure defaults and identity management are causing new problems.
Accurics used the recent SolarWinds Orion hack as an example of what can happen when attackers get access to code or pipelines. Because the malware looked like it was code from an authorized developer, the attack was undetected for months, giving attackers plenty of time to look for weaknesses.
The report authors said the Twilio hack was an example of another growing problem: Watering hole attacks in the cloud. The report suggests these problems are caused by the increased use of managed infrastructure services, such as hosted CI/CD services, messaging services, and function as a service.
Tracking violations and drifts
The researchers looked for two types of problems—violations and drifts. When the infrastructure as code used to provision cloud components or a runtime configuration deviated from a security policy, that was considered a violation. If a runtime configuration deviates from the IaC configuration or if a compliant runtime configuration is updated with a noncompliant configuration, that is considered adrift.
The analysis found that almost a quarter of all violations corresponded to poorly configured managed services offerings. This makes it easier for attackers to discover an organization’s services, read their data and potentially make modifications.
The study found that the mean time to remediate issues was 24.9 days across all environments. MTTR took 21.8 days in production environments and 31.2 days in pre-production. Fixing a drift took 7.7 days overall, 4.9 days in production and 8.6 in pre-production.
The other findings of the security analysis include:
- The most critical parts of the cloud infrastructure often require the most time to fix.
- Default configurations in managed services offerings are a growing security risk.
- Misconfigured storage buckets are a persistent problem.
- Enforcing consistent standards and policies is still a struggle.
- Managing identity and access management in runtime is risky.
- Third-party Kubernetes components are in pretty good shape.
The study identified violations and drifts in real-world environments of Accurics users in addition to open source repositories and registries of IaC components. The research focused on the most popular IaC tools such as Terraform, Kubernetes and Helm. The projects and components tested are designed to run on Amazon Web Services, Microsoft Azure and Google Cloud Platform.
Defining identity and access management through code
The report describes this as an emerging threat. The report authors said that this was the first time that the analysts had seen identity and access management defined through infrastructure as code in production environments. Previously, IAM had been implemented in runtime. The report found that 35% of the IAM drifts identified in this latest report originated in IaC, which shows rapid adoption of IAM as code.
The analysts recommend addressing identity management in the short term to avoid having to manually manage identities in runtime or compromise the security of their systems. The report authors see IAM as code as the best way to meet this challenge because even “medium-size organizations may have thousands or tens of thousands of roles.”
How to ensure agile security
Accurics recommends using infrastructure as code for load balancers and networking infrastructure at the very least. IaC can help improve speed and consistency in the deployment of networking configurations, according to the report.
The next step is to use policy as code tools to define security policies and enforce these policies programmatically throughout the development process and into production. These tools can help dev teams identify violations early and often.
The third step is to consider remediation as code. This approach makes it easier and quicker to spot violations and drifts and to fix them by providing specific code to fix the problem.