With cloud adoption accelerating, the growing scale of cloud environments is outpacing the capacity for businesses to keep them secure. This is why many organisations feel vulnerable to data breaches that might arise as a result of cloud configuration errors.
More than 80% of the 300 cloud engineering and security professionals questioned by Sonatype and Fugue in their latest cloud security report said they felt their organisations were at risk. Factors include teams struggling with an expanding IT ‘surface area’, an increasingly complex threat landscape, and recruitment challenges coupled with a widening skills gap.
A major security threat
Misconfiguration is a major problem because cloud environments can be enormously complicated, and mistakes can be very hard to detect and manually remediate. According to Gartner, the vast majority of publicly disclosed cloud-related security breaches are directly caused by preventable misconfiguration mistakes made by users, highlighting how great of a security threat they truly are.
“Often companies use default configurations, which are insecure for many use cases, and unfortunately there’s still a significant skills gap,” says Kevin Curran, professor of cyber security at Ulster University. “The cloud industry is relatively new, so there’s a noticeable deficit in knowledgeable cloud architects and engineers.”
He claims there are numerous scanning services constantly seeking out vulnerabilities to exploit, and, because flaws can be abused within minutes of creation, it’s led to an urgent race between attackers and defenders.
“An attacker can typically detect a cloud misconfiguration vulnerability within ten minutes of deployment, but cloud teams are slower in detecting their own misconfigurations,” he adds. “In fact, only 10% are matching the speed of hackers.”
Misconfiguration can happen for many reasons, such as organisations prioritising legacy apps over cloud security, Ben Matthews, a partner at consultancy firm Altman Solon, points out. “Even with the significant growth in cloud adoption in recent years,” he adds, “the current and likely enduring prevalence of mixed and hybrid environments mean that this problem isn’t going away anytime soon.”
There are several other common causes of cloud misconfiguration, too. Those questioned as part of Sonatype and Fugue’s study cited too many APIs and interfaces to govern, a lack of controls, oversight and policy, and even simple negligence, as among the main reasons.
A fifth (20%) noted their businesses haven’t been adequately monitoring their cloud environments for misconfiguration, while 21% reported not checking infrastructure as code (IaC) prior to deployment. IaC is a process for managing and provisioning IT infrastructure through code instead of manual processes.
It’s a people problem
Experts agree that cloud misconfiguration is, first and foremost, a people problem, with traditional security challenges such as alert fatigue, the complexity of managing applications and workloads, and human error playing a significant role.
“Laziness, a lack of knowledge or oversight, simple mistakes, cutting corners, rushing a project – all these things play into misconfigurations,” points out Andras Cser, vice president and principal analyst at Forrester.
Organisations also find the demand for cloud security expertise is outstripping supply, making it harder than ever to retain staff with the knowledge required to guarantee cloud security. Often, there’s also confusion within businesses as to who’s responsible for checking for vulnerabilities, and, if any are found, ensuring they’re removed.
“Secure configuration of cloud resources is the responsibility of cloud users and not the cloud service providers,” clarifies Gartner’s senior director analyst, Tom Croll. “Often, misconfigurations arise due to confusion within organisations about who’s responsible for detecting, preventing and remediating insecure cloud assets. Application teams create workloads, often outside the visibility of security departments and security teams often lack the resources, cooperation or tools to ensure workloads are protected from misconfiguration mistakes.”
Curran continues by highlighting that different teams are responsible at different stages of any cloud project. For instance, cloud developers using IaC to develop and deploy cloud infrastructure should be aware of the major security parameters included in the software development cycle. The security team, on the other hand, is generally responsible for monitoring and the compliance team for audits. To make things more complicated, Sonatype and Fugue’s report suggests cloud security requires more cross-team collaboration than in the data centre. More than a third (38%) of those surveyed, however, cited friction existing between teams over cloud security roles.
Avoiding cloud configuration errors
Wherever possible, organisations will want to prevent cloud misconfiguration problems from arising in the first place. This can be achieved by using tools such as IaC scanning during the development phase, and the adoption of policy as code (PaC), which, according to Curran, has revolutionised how IT policy is implemented.
Rather than following written rules and checklists, in PaC, policies are expressed “as code” and can be used to automatically assess the compliance posture of IaC and the cloud environments organisations are actively running.
“Using PaC for cloud security is significantly more efficient and cost-effective as it’s repeatable, shareable, scalable and consistent,” he explains, adding: “It also greatly reduces security risks due to human error.” Of course, mistakes can be missed and, therefore, continuous 24/7 monitoring should be core to a business’ cloud security operation in order to maximise the chances of finding potential vulnerabilities.
Experts advise businesses to use automated security services, such as cloud security posture management (CSPM), which are designed to identify misconfiguration issues and compliance risks in the cloud. This particular tool automates the process of finding and fixing threats across all kinds of cloud environments.
“These allow cloud platform admins to create a good baseline of cloud configuration artefacts, then detect any drifts from it,” Forrester’s Cser continues. “It also takes advantage of best-practice templates that will flag issues around S3 buckets or overprivileged instances, for example. Automated CSPM visibility, detection and remediation should be continuous.”