As the application of managed infrastructure services increases, new cloud attack areas will appear with them. According to a new report from Accurics, 23% of all security breaches are identified in relation to poorly configured managed services.
The study, Accurics’ Cloud CyberSpace Recovery Report, assessed violations and errors in the real environment of Accurics users, as well as open source repossesses and registry of infrastructure such as code components (IaC).
On average, research shows that the average time for troubleshooting (MTTR) for violations is 25 days across all environments. Accurics described this as a ‘luxury’ for potential attackers. For deviations from established secure infrastructure locations, mttr averages eight days.
This is an interesting difference and one that suggests that security must be constantly explored. Twilio TaskRouter JS SDK security troubleshooting from July. In this case, the S3 team of Amazon Web Services (AWS) was correctly configured when it was added – since 2015 – a configuration change made 5 months later changed it. This drift went un unshinged and was not remedied, until it was mined last year.
“Protecting cloud infrastructure requires a new approach that basically includes earlier security in the development lifecycle and maintaining a transparent safe pose,” Accurics noted. “Cloud infrastructure must be continuously monitored at runtime for configuration changes and risk assessment.
“In situations where configuration changes lead to risks, cloud infrastructure must be re-deployed based on a secure base line,” the company added. “This will ensure that any risk changes made accidentally or harmfully are automatically overwritten.”
Accurics predicts that as cloud services mature and grow, security issues will continue alongside them. According to Om Moolchandani, co-founder of Accurics, CTO and CISO, messaging services and FaaS (which act as a service) are in a “dangerous phase of application.” “If history is a guide, we hope to start seeing more breaches due to the unsafe configuration around these services,” he added.
So who’s having these problems? Accurics argues that it is a matter of education, convenience and communication – and solves problems on all aspects of the business. Misconfigured storage teams – 15.3% of violations analyzed – and hard-coded secrets – nearly 10% of violations – are clearly developer responsibilities. The report also noted that requests and policies are not exchanged directly between security, development, and operational teams.
Of the organizations tested, 10.3% paid specifically for advanced security features from cloud service providers, but none were enabled or configured. In general, the use of default settings and roles, as well as struggling to deploy the least edict environments, remains common.