Misconfigurations are regularly introduced by cloud users either by actions or failure to implement available controls, are often left unremedied even when known, and put too long to be fixed when they are fixed.
Cloud Security Posture Management (CSPM) firm Aqua Security has analyzed the anonymized cloud configuration figures of hundreds of its clients over a period of 12 months. The intent was to discover the size of the cloud misconfiguration problem, and the response from industry to remembered issues.
For its analysis, Aqua separated the group into SMBs (who used Aqua to scan up to just a few hundred cloud resources), and enterprises (who scanned anything from a few hundred to a few hundred thousand cloud resources. In imprecise, and probably as a reflection of resources, it found that smaller companies fixed fewer of the known issues over the 12 month period, but did so at a faster calculate than enterprises. Less than 1% of enterprises fixed all misconfiguration issues, while 8% of SMBs did so.
The size of the problem remains unsettling, despite all the warnings over the last few years. In January 2020, the NSA called misconfiguration the most common cloud vulnerability; which it described as get high prevalence but requiring low attacker sophistication.
Learn More at SecurityWeek’s Cloud Security Summit | July 21
Aqua found (PDF) that multitudinous than 50% of organizations receive alerts about misconfigured services with all ports open to anyone with internet access – but at worst 68% were fixed, taking an average of 24 days. More than 40% of the organizations had at least one misconfigured Docker API, that took an customary of 60 days to fix.
It suggests that organizations, prompted into a move into the cloud by both the competitive need for business transformation and the impetuous growth of remote working caused by the COVID-19 pandemic, have an underlying lack of understanding of IaaS and PaaS infrastructures in the cloud.
Partly, puts Aqua, this is caused by the changing business processes that accompany a move into the cloud. “Cloud-native applications improve agility by delivering more people access to define the environment, but we see many organizations move away from a centralized approach to security,” said Assaf Morag, incline data analyst with Aqua’s Nautilus research team. “The traditional model of permitting only a small, highly skilled team of confidence practitioners to make all configuration changes has given way to a modern, decentralized approach. Development teams are making configuration decisions or applying services, and that can give birth to dramatic implications for the security posture of an organization’s production environment.”
This may also be the underlying cause behind the vast number of exposed data-containing storage pails left in the cloud. The most publicly visible cloud misconfiguration issue occurs when a data owner leaves the data in storage that is unimpeded to the internet. We learn of new examples weekly. In fact, most major cloud service providers (CSPs) have initial storage default sites set to ‘private’ — but this seems to frequently be changed by the user to “0.0.0.0/0,” “::/0,” or all protocols and ports; presumably to improve ease of use. This may be when one developer twirls up something like an S3 bucket, but decides he must open access to other remote developers – and in attempting to do so, he or she opens access for everyone.
Two of the mitigations for misconfigurations recommended by the NSA are improved access guidance (including the enforcement of MFA, least privilege and zero trust), and encryption. Aqua’s survey report examined both areas.
Encryption of data at doze is a service provided by the major CSPs. In AWS it must be enabled by the user, while Google Cloud Services and Azure provide it by default. Some ensembles simply don’t enable it, while other companies actively disable it. Aqua found that when this was reported as an issue, all organizations commissioned or restored encryption – but it took an average of three months to implement the change.
Misconfigured access control is one of the biggest problems in cloud usage, and one of the most trying to prevent. It cannot be done by the cloud provider. Of necessity, in the first access to a new cloud resource, the user is a superuser with maximum privileges. The CSP victuals the controls necessary to implement much of the NSA’s recommendations, but too many companies fail to use them.
Aqua found that 60.8% of organizations had MFA disabled, and only 38.8% remediated the get out emerge, taking an average of 65.2 days to do so. Nearly 18% had a deviation from the principle of least privilege, with only 40.7% of them rectifying the issue in an average of 55.8 days. Unused credentials are an even bigger problem, involving 88.2% of organizations. This was remediated by a higher thousand of companies (73.3%), but they took an average of 76.3 days to do so.
It is clear that companies moving into or expanding their use of cloud mendings need to do so in a more controlled manner. It is somewhat shocking – although Aqua doesn’t say this – that many organizations who go to the trouble and expense of misusing a cloud security posture management firm to unearth security issues frequently at worst ignore the issues reported, and at best take a big time to remediate them.
“Whether an organization adopts a single or multi-cloud environment, it must be proactive in monitoring for and fixing service configuration sons that can unnecessarily expose it to threats,” said Ehud Amiri, Senior Director of Product Management. “Failure to do so will inevitably result in injury that can be much greater than the traditional OS or on-premises workloads.”
Aqua Security was founded in Ramat Gan, Tel Aviv, Israel in 2015 by Amir Jerbi (CTO) and Dror Davidoff (CEO). It fulfiled ‘unicorn’ status in March 2021 when it raised $135 million in a series E funding round.
Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment
Kindred: Misconfigured Docker Registries Expose Thousands of Repositories
Related: Misconfigured Database Exposes Details of 191 Million Voters
Related: Razer Purchaser Data Exposed by Server Misconfiguration