Firms Struggle to Secure Multicloud Misconfigurations

Companies continue to struggle to correctly configure their cloud infrastructure, with small and midsize businesses (SMBs) fixing only an average of 40% of misconfiguration issues and enterprises fixing 70% of such issues, according to a new report from cloud security firm Aqua Security.

The report, based on anonymized data collected by Aqua Security over 12 months, shows that more than half of companies had ports open to the Internet, but they fixed only two-thirds of the misconfiguration issues. In addition, more than 82% of companies had an instance where their cloud storage was open to the public, and while 73% fixed the issues, it took an average of over two months to do so, with enterprises reporting more issues and taking longer to remediate them compared with SMBs.

The data demonstrates that companies face significant challenges in correctly configuring their cloud environments, undermining the security of their cloud infrastructure, says Ehud Amiri, senior director of product management at Aqua Security.

"The success and massive adoption of cloud and cloud native approaches [has] created the perfect storm," he says. "Cloud native is about componentizing the application. ... This is great for innovation and development velocity, but it comes with a price of a new and wider attack surface."

Overall, large enterprises typically had more issues and required longer to remediate them compared with SMBs, the report states. Yet the larger companies fixed a greater portion of their total issues overall. SMBs typically scanned up to hundreds of cloud resources, while enterprises scanned from hundreds to more than 100,000 resources.

The complexity of cloud and multicloud infrastructures are leaving companies, and their applications and data, open to compromise. Almost 80% of companies have suffered from a cloud data breach in the past 18 months, according to a survey conducted by IDC in June 2020. Two-thirds of businesses identified security misconfigurations as a top concern, while a lack of visibility into cloud activity and access concerned 64% of companies, according to the IDC survey.

While companies have accelerated their move to the cloud, the majority have more concerns regarding the security of their infrastructure, according to a recent survey.

"This complexity, in single or multi-cloud environments, often leads to service configuration issues that can unnecessarily expose organizations to threats — and the 'blast radius' of damage resulting from misconfigurations can be much greater than for the traditional OS or on-premises workloads," the Aqua Security report states.

Among the major misconfiguration issues for cloud infrastructure: data encryption. Almost three-quarters of businesses had unencrypted cloud services, while 30% had unencrypted databases and 39% had plaintext data in their traffic, according to the report. The issues took more than three months to fix, on average.

Docker containers also became a significant security risk for companies. Starting at the beginning of 2020, the volume of attacks targeting containers dramatically increased, the report states. Almost 41% of companies had a misconfigured Docker API, and 35% of companies had a permissive Kubernetes network policy.

"Cyberattacks against cloud native environments often target and exploit vulnerable hosts," the report says. "The main threat posed by these attacks is crypto mining, a process that methodically siphons resources from unsuspecting victims — resources that would otherwise be used to support your business objectives."

The first step for companies should be to verify their cloud configurations and determine whether they have a problem by finding some way to gain continuous insight into the state of the cloud infrastructure, says Amiri.

"The most critical issue is the lack of detailed visibility and lack of understanding the context," he says. "And indeed, we see many organizations starting by leveraging tools to discover and analyze the context of configuration issues."

In addition, companies of any size should create a formal process for tracking and fixing security issues, Aqua Security says. In addition, access-control policies should be applied on a per-container basis rather than a single policy applied to multiple instances.

"Without a good process, it’s easy to be overwhelmed by the endless number of security issues being identified," the report states. "Since smaller organizations usually have fewer monitored cloud resources, their security practitioners often have fewer issues to fix, but organizations of any size could benefit from an improved triage method."