Aqua Security has published new research from Team Nautilus revealing that a significant majority of companies that move to multi-cloud environments are not properly configuring their cloud-based services. According to new findings from Aqua’s “2021 Cloud Security Report: Cloud Configuration Risks Exposed”, these misconfigurations, for example leaving bucket or blog storage open, can open companies up to critical security breaches. Reflecting the overwhelming amount of configurations practitioners must address, even when companies are aware of errors, most have not addressed the bulk of these issues in a timely manner. Especially larger enterprises, as they take an average of 88 days to address issues after discovery.
“When you consider that a single cloud misconfiguration can expose organisations to severe cyber risk, such as data breaches, resource hijacking and denial of service attacks, the consequences of failing to address misconfiguration issues are all too real to ignore,” said Assaf Morag, Lead Data Analyst with Aqua’s Team Nautilus.
Research Methodology & Findings
Over 12 months, Aqua’s research team analysed anonymised cloud infrastructure data from hundreds of organisations. Users were divided into two groups based on the volume of cloud resources they scanned: SMB (small and midsize business) who scanned between one and several hundred resources, and enterprise users who scanned from several hundred up to a few hundred thousand distinct resources.
The research findings point to important security gaps including:
• Less than 1% of enterprise organisations fixed all detected issues while less than 8% of SMBs fixed all detected issues.
• More than 50% of all organisations receive alerts about misconfigured services with all ports open to the world, but only 68% of these issues were fixed, taking 24 days on average.
• Over 40% of users had at least one misconfigured Docker API, taking an average of 60 days to remediate.
These findings point to numerous security posture issues across Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) accounts, which suggests both a lack of understanding as well as an overwhelming number of issues requiring attention.
“Cloud-native applications improve agility by giving more people access to define the environment, but we see many organisations move away from a centralised approach to security,” added Morag. “The traditional model of permitting only a small, highly skilled team of security practitioners to make all configuration changes has given way to a modern, decentralised approach. Development teams are making configuration decisions or applying services, and that can have dramatic implications for the security posture of an organisation’s production environment.”
The Aqua report examines the mistakes that lead to five common types of cloud setting misconfigurations: storage (bucket/blob) misconfigurations, identity and access management (IAM) misconfigurations, data encryption issues, exploitable services behind open ports, and container technology exploitation.
Reducing Threat Exposure
The Aqua 2021 Security Report also provides recommendations on the best practices and policies organisations can implement immediately to mitigate the risk of cloud misconfigurations, including:
• Instituting a formal remediation process to prioritise issues.
• Treating all API issues as critical, as adversaries are actively scanning for exposed API ports.
• Applying various IAM controls to establish layers of access control, such as multi-factor authentication (MFA) and identity federation.
“Whether an organisation adopts a single or multi-cloud environment, it must be proactive in monitoring for and fixing service configuration issues that can unnecessarily expose it to threats,” said Ehud Amiri, Senior Director of Product Management. “Failure to do so will inevitably result in damage that can be much greater than the traditional OS or on-premises workloads.”