Skip to main content
close search
site logo
Dive Brief

Insecure cloud coding templates run rampant, research finds

Published Feb. 5, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Fotolia

Dive Brief:

  • Companies leveraging DevOps are using almost 200,000 "insecure templates" for infrastructure as code (IaC), according to research from Palo Alto Networks' threat intelligence team Unit 42. Of the three most common templates — Terraform, CloudFormation and K8s YAML  CloudFormation is the most vulnerable.​
  • Though encryption falls under various compliance standards, such as Payment Card Industry Data Security Standard and HIPPA, 43% of databases are left unencrypted. Sixty-percent of cloud storage services have disabled logging records for tracking who accessed the environment. Consistent records of storage activities play a role in measuring "scale of the damage" in a cloud-based event, according to the report. 
  • The majority of cloud workloads and organizations leave Secure Shell (SSH) or Remote Desktop Protocol (RDP) exposed, 76% and 69%, respectively. Unit 42 researchers suggest using alternatives, including Microsoft Azure Bastion, for securing SSH and RDP connectivity. 

Dive Insight:

A single misconfigured template could leave an entire cloud environment compromised. 

"IaC is simply a way of describing cloud infrastructure in code instead of creating it manually. I.e., no more point and click," Matt Chiodi, CSO of public cloud at Palo Alto Networks, told CIO Dive. 

Despite the security implications, IaC mostly falls under the purview of the CIO or CTO, not the security organization. Companies using central monitoring for cloud configurations creates a space for the CIO and CISO to draw from. 

Existing templates have "infinite" uses, giving the cloud infrastructure continuity and consistency. However, its power is also a weakness if a misconfiguration exists, said Chiodi. Cloud-native security platforms perform health scans of templates, checking for flaws before production. 

To maintain a template's "integrity" or prevent outside manipulation, organizations can use role-based access controls and version controls. 

Companies need a way to establish "guardrails" for preventing cloud misconfigurations. "Always ask yourself, 'what are the configurations and misconfigurations that should never exist in our cloud environment?'" said Chiodi. Asking those types of questions shifts a security organization's mindset to a more adversarial one. 

DevOps teams are leveraging cloud-enabled speed to "spin up cloud workloads and infrastructure" without sufficient security input, Chiodi said. Encryption and cloud logging are not commonly on the DevOps teams' task list. 

Exposed workloads and services like SSH and RDP are "extremely risky" because of bad actors' penchant for unauthorized remote administrative cloud access. Chiodi recommends a limited access scope for "legitimate use cases" in remote administration and network ranges, such as administrative-only or individual systems.

Filed Under: Cloud, Security

Editors' picks

Company Announcements

View all | Post a press release
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Cloud
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell