The research from Accurics also found that cloud breaches are likely to expand in velocity and scale, and these are likely to infiltrate environments which have at least one network exposure where a security group is left open, an issue that has already caused over 200 breaches over the past two years.
When examining the most common hazards to environments, Accurics found that 100% of deployments had exposed databases, or another kind of private subnet containing sensitive resources, to the Internet.
In addition, despite the broad availability of tools such as AWS Key Management Service (KMS) and HashiCorp Vault, hardcoded private keys were detected within 72% of analysed deployments.
With 84% using containers, unprotected credentials within container configuration files were particularly common, with this occurring in half of these deployments, while 41% had high privileges associated with the hardcoded keys and were used to provision compute resources; any breach involving these would expose all associated resources.
Global container management software to see major growth — Gartner
Alert fatigue, which is caused by automated detection of risks paired with a manual approach to resolution, was also revealed as an issue occurring within cloud deployments, with only 6% of issues being addressed. However, an emerging practice known as Remediation of Code is empowering organisations to address 80% of risks using automatically generated code.
“While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fuelling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organisations,” said Om Moolchandani, CTO of Accurics.
“As cloud infrastructure becomes increasingly programmable, we believe that the most effective defence is to codify security into development pipelines and enforce it throughout the lifecycle of the infrastructure.
“The receptiveness of the developer community towards assuming more security responsibility has been encouraging and a step in the right direction.”
Improving cloud security
Accurics has also recommended managing risk early in the development cycle, by implementing encrypted databases, rotating access keys and multi-factor authentication.
Automated threat modelling is also needed to determine whether changes, such as privilege, increases, and route changes introduce breach paths in a cloud deployment.
In addition, as companies begin to embrace Infrastructure as Code (IaC), codifying security into development pipelines can significantly reduce attack surfaces before the infrastructure is provisioned.
