Dive Brief:
- Companies leveraging DevOps are using almost 200,000 "insecure templates" for infrastructure as code (IaC), according to research from Palo Alto Networks' threat intelligence team Unit 42. Of the three most common templates — Terraform, CloudFormation and K8s YAML — CloudFormation is the most vulnerable.
- Though encryption falls under various compliance standards, such as Payment Card Industry Data Security Standard and HIPPA, 43% of databases are left unencrypted. Sixty-percent of cloud storage services have disabled logging records for tracking who accessed the environment. Consistent records of storage activities play a role in measuring "scale of the damage" in a cloud-based event, according to the report.
- The majority of cloud workloads and organizations leave Secure Shell (SSH) or Remote Desktop Protocol (RDP) exposed, 76% and 69%, respectively. Unit 42 researchers suggest using alternatives, including Microsoft Azure Bastion, for securing SSH and RDP connectivity.
Dive Insight:
A single misconfigured template could leave an entire cloud environment compromised.
"IaC is simply a way of describing cloud infrastructure in code instead of creating it manually. I.e., no more point and click," Matt Chiodi, CSO of public cloud at Palo Alto Networks, told CIO Dive.
Despite the security implications, IaC mostly falls under the purview of the CIO or CTO, not the security organization. Companies using central monitoring for cloud configurations creates a space for the CIO and CISO to draw from.
Existing templates have "infinite" uses, giving the cloud infrastructure continuity and consistency. However, its power is also a weakness if a misconfiguration exists, said Chiodi. Cloud-native security platforms perform health scans of templates, checking for flaws before production.
To maintain a template's "integrity" or prevent outside manipulation, organizations can use role-based access controls and version controls.
Companies need a way to establish "guardrails" for preventing cloud misconfigurations. "Always ask yourself, 'what are the configurations and misconfigurations that should never exist in our cloud environment?'" said Chiodi. Asking those types of questions shifts a security organization's mindset to a more adversarial one.
DevOps teams are leveraging cloud-enabled speed to "spin up cloud workloads and infrastructure" without sufficient security input, Chiodi said. Encryption and cloud logging are not commonly on the DevOps teams' task list.
Exposed workloads and services like SSH and RDP are "extremely risky" because of bad actors' penchant for unauthorized remote administrative cloud access. Chiodi recommends a limited access scope for "legitimate use cases" in remote administration and network ranges, such as administrative-only or individual systems.