Only 1% of public cloud misconfigurations are caught, leaving companies open to data loss. Here’s how to stay protected.
Karen Roby talks with a security expert about safeguarding the enterprise in a hybrid IT world.
Infrastructure-as-a-Service (IaaS) is at a great risk for Cloud-Native Breaches, with 99% of misconfiguration incidents in public cloud environments going undetected, according to a McAfee report released today.
IaaS is the fastest-growing area of the cloud as a new default IT environment for internal and external-facing applications. But in the rush to adopt IaaS, many companies have overlooked the need for security, assuming the cloud provider was handling it.
As a result, there have been numerous Cloud-Native Breaches (CNB), which are an opportunistic attack on data left open by errors in how the cloud environment was configured, or misconfigurations.
The most popular IaaS providers are big-name companies including Amazon, Microsoft, Alibaba, Google, and IBM. However, the rush to adopt this growing technology leaves security as an afterthought, with 99% of cloud misconfigurations going undetected by companies, McAfee’s Cloud Native: The Infrastructure-as-a-service (IaaS) Adoption and Risk report found.
SEE: Cloud providers 2019: A buyer’s guide (free PDF) (TechRepublic)
IaaS is a cloud computing model that can be rented by companies, in the form of storage, networking, and physical or virtual servers, as reported in ZDNet’s What is cloud computing? Everything you need to know about the cloud, explained. These systems are valuable for companies that want to develop applications themselves and control all aspects of their data.
The report, released on Tuesday, surveyed 1,000 enterprise organizations worldwide to determine the biggest IaaS security issues. Cloud misconfigurations dominated the threat landscape, leaving millions of consumer records and intellectual property vulnerable to theft.
“Cloud misconfiguration is one of the most preventable, yet common security issues cloud customers face,” said Sekhar Sarukkai, vice president of engineering for cloud security at McAfee. “Cloud misconfiguration refers to an error in how the cloud service was configured, which introduces risk to the organization and their data. Cloud infrastructure, or IaaS, is the most configurable, which introduces a higher risk of misconfiguration than SaaS.”
Only 1% of IaaS misconfigurations are known, the report found. While companies think they average 37 misconfigurations per month, they really experience 3,500. Even once the issues are made known, some 27% remain unresolved, and one quarter of respondents said it takes them more than one day to fix the issues.
Cloud-native breaches breaches don’t surface like a normal malware-based attack, Sarukkai said. Rather, the report identified a cloud-native breach as “a series of actions by an adversarial actor in which they ‘Land’ their attack by exploiting errors or vulnerabilities in a cloud deployment without using malware, ‘Expand’ their access through weakly configured or protected interfaces to locate valuable data, and ‘Exfiltrate’ that data to their own storage location.”
Why aren’t businesses handling these breaches?
A major communication gap exists in the enterprise, leading to these repeated breaches, the report found. While 90% of companies said they’d experienced some security issues with IaaS, some 12% of IT decision makers—those closest to the IaaS environment—thought they’d never experienced an issue, and 6% of CXOs claimed having no issue too.
“Practitioner-leadership disconnect leads to practitioner’s false sense of security,” Sarukkai said. “This disconnect leads to senior leadership becoming complacent and making a suboptimal prioritization decision. This complacence reflected by our finding that only 26% of companies can currently audit for IaaS misconfigurations with their existing security tools.”
The speed of IaaS adoption is the main cause for practitioners failing to keep up, the report found. Infrastructures change quickly in the cloud, creating room for more mistakes as code is released in continuous integration and continuous delivery practices (CI/CD).
“Additionally, most organizations are multicloud, meaning they use multiple cloud service providers for infrastructure, increasing the difficulty of auditing configurations across multiple platforms,” Sarukkai said.
IaaS: The New Shadow IT
IT teams aren’t able to secure things they don’t know about. The beginning of cloud adoption started with employee-acquired apps for collaboration and file sharing, which IT was never aware of, coining the term Shadow IT, the report found.
With the rise in software-as-a-service (SaaS), IT teams were able to catch up and recommend the most useful applications for business. A similar trend surfaced with infrastructure surfaces, especially with big providers like Amazon Web Services and Microsoft Azure. Each provider has special services that support business cases for developing a multicloud environment, wherein multiple IaaS providers are used. Currently, many applications are being built in the cloud, going to the cloud, but multicloud makes it difficult for companies to maintain control and visibility of all their IaaS architectures.
Security measures businesses should take
To help businesses better protect their IaaS structures, Sarukkai identified the following three security strategies:
1. Build IaaS configuration auditing into your CI/CD process
Companies must execute this step early, perhaps at code check-in, to decrease the number of misconfigurations that come into fruition. IT managers should look for security tools that easily work with Jenkins, Kubernetes, and more to automate the audit and correction process effectively.
2. Evaluate your IaaS security practice using framework like Land-Expand-Exfiltrate
By checking your practices against the entire chain of attack, companies have a better chance of stopping a breach before it gets out of hand.
3. Invest in cloud-native security tools, and training for security teams
Some worthwhile security tools include Cloud Access Security Brokers (CASBs), Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platforms (CWPP). All three are made to work within DevOps and CI/CD processes, without being a carbon copy of on-premises data center security.
The Infrastructure-as-a-Service (IaaS) public cloud market grew by 31.3% in 2018, becoming the go-to IT environment for hosting internal and customer-facing applications in an organization, according to Gartner’s Market Share Analysis: IaaS and IUS, Worldwide, 2018 report.
For more, check out Cloud security is too important to leave to cloud providers on our sister site ZDNet.