Aqua Security, the pure-play cloud native security solutions company, has published new research from Team Nautilus revealing that a significant majority of companies that move to multi-cloud environments are not properly configuring their cloud-based services.
According to the new findings from Aqua Security’s ‘2021 Cloud Security Report: Cloud Configuration Risks Exposed’, these misconfigurations, for example leaving bucket or blog storage open, can open companies up to critical security breaches.
2021 Cloud Security Report
When you consider that a single cloud misconfiguration can expose organisations to severe cyber risk"
Reflecting the overwhelming amount of configurations that practitioners must address, even when companies are aware of errors, most have not addressed the bulk of these issues in a timely manner. Especially larger enterprises, as they take an average of 88 days to address issues after discovery.
“When you consider that a single cloud misconfiguration can expose organisations to severe cyber risk, such as data breaches, resource hijacking and denial of service (DoS) attacks, the consequences of failing to address misconfiguration issues are all too real to ignore,” said Assaf Morag, Lead Data Analyst with Aqua Security’s Team Nautilus.
Aqua Security’s research methodology & findings
Over a period of 12 months, Aqua Security’s research team analysed anonymised cloud infrastructure data from hundreds of organisations.
Users were divided into two groups, based on the volume of cloud resources that they scanned - SMB (small and midsize business), who scanned between one and several hundred resources and enterprise users, who scanned from several hundred up to a few hundred thousand distinct resources.
The research findings point to important security gaps including:
- Less than 1% of enterprise organisations fixed all detected issues, while less than 8% of SMBs fixed all detected issues.
- More than 50% of all organisations receive alerts about misconfigured services, with all ports open to the world, but only 68% of these issues were fixed, taking 24 days on average.
- Over 40% of users had at least one misconfigured Docker API, taking an average of 60 days to remediate.
Security posture issues across IaaS and PaaS accounts
These findings point to numerous security posture issues across Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) accounts, which suggest both a lack of understanding, as well as an overwhelming number of issues requiring attention.
Cloud-native applications improve agility by giving more people access to define the environment"
“Cloud-native applications improve agility by giving more people access to define the environment, but we see many organisations move away from a centralised approach to security,” said Morag, adding “The traditional model of permitting only a small, highly skilled team of security practitioners to make all configuration changes has given way to a modern, decentralised approach. Development teams are making configuration decisions or applying services, and that can have dramatic implications for the security posture of an organisation’s production environment.”
Causes of cloud-setting misconfigurations
The Aqua report examines the mistakes that lead to five common types of cloud-setting misconfigurations - storage (bucket/blob) misconfigurations, identity and access management (IAM) misconfigurations, data encryption issues, exploitable services behind open ports, and container technology exploitation.
The Aqua 2021 Security Report also provides recommendations on the best practices and policies that organisations can implement immediately, in order to mitigate the risk of cloud misconfigurations, including:
- Instituting a formal remediation process to prioritise issues.
- Treating all API issues as critical, as adversaries actively scanning for exposed API ports.
- Applying various IAM controls to establish layers of access control, such as multi-factor authentication (MFA) and identity federation.
Proactively fixing cloud misconfiguration issues
“Whether an organisation adopts a single or multi-cloud environment, it must be proactive in monitoring for and fixing service configuration issues that can unnecessarily expose it to threats,” said Ehud Amiri, Senior Director of Product Management at Aqua Security.
Ehud Amiri adds, “Failure to do so will inevitably result in damage that can be much greater than the traditional OS or on-premises workloads.” Aqua Security’s '2021 Security Report: Assessing Cloud Infrastructure Risks' is available now.