A recent report published by Orca Security, a provider of tools for scanning cloud workloads, suggests the shared responsibility approach to cloud security is not being embraced as successfully as most organizations would prefer.
Based on an analysis of 2 million scans of 300,000 public cloud assets running on Amazon Web Services (AWS) Microsoft Azure and Google Cloud Platform (GCP), the report finds cloud security lagging: More than 80% of organizations have at least one neglected, internet-facing workload that is either running on an unsupported operating system or has remained unpatched for more than 180 days.
In addition, 60% of organizations have at least one neglected internet-facing workload that has reached its end of life in that it is no longer provided with security updates, the report finds.
The report also finds nearly half of the organizations (49%) have at least one publicly accessible, unpatched web server, while 44% have internet-facing workloads containing secrets and credentials that include clear-text passwords, application programming interface (API) keys and hashed passwords that could facilitate lateral access across a cloud environment.
Almost a quarter (24%) have at least one cloud account that doesn’t use multi-factor authentication for the super admin user, while 19% have cloud assets that are accessible via non-corporate credentials.
Alas, the report suggests workloads that don’t face the internet are not much better. More than three-quarters (77%) of organizations have at least 10% of their internal workloads in a neglected security state.
Orca Security CEO Avi Shua said despite advances in DevSecOps, there remains a clear need for segregation of responsibilities between cybersecurity teams and developers. Mistakes will always be made, he said, so cybersecurity professionals will also need to verify that the right controls have been implemented.
The challenge is achieving that goal at a time when cybersecurity teams are chronically short of staff and the number of workloads being deployed in the cloud is exponentially increasing. IT organizations need to define a process that automates as much of the cloud security verification process as possible, noted Shua.
Most of the cloud security concerns organizations have are little to do with the infrastructure provided by the cloud service provider. Rather, it’s because developers rely on templates to automate the configuration of cloud services that, for example, result in ports being left open or application secrets exposed. In theory, at least, developers are assuming more responsibility for implementing security controls as part of the shift left toward best DevSecOps practices. In practice, however, the ability of developers to consistently implement those controls remains uneven at best.
For better or worse, the rate at which application workloads are being deployed in the cloud is not going to slow anytime soon, especially in the wake of the economic downturn brought on by the COVID-19 pandemic. Like it or not, many cybersecurity teams will need to come to terms with the fact that even as developers become more security conscious, there will always be a need to, as one famous U.S. president once noted, trust but verify.