A new report finds nearly a quarter (23%) of all the security policy violations involved managed service offerings provided by Amazon Web Services (AWS), Microsoft and Google. The violations were discovered during approximately 9,000 scans conducted by Accurics.
Accurics, provider of a tool for scanning infrastructure-as-code (IaC) environments, also found that, on average, the mean time to resolution (MTTR) for security policy violations was 24.9 days, with MTTR for production and pre-production environments spanning 21.8 and 31.2 days, respectively.
IT organizations, however, do better when it comes to identifying drift in runtime environments from security policies after a cloud service has been configured. The average MTTR for drifts is 7.7 days overall, with production environments at 4.9 days and pre-production environments at 8.6 days.
Jon Jarboe, developer advocate for Accurics, said the root cause of the security policy violations primarily stems from developers using tools such as Terrascan and Helm to configure cloud services. The scans conducted by Accurics are based on a library of more than 1,800 compliance and security policies that Accurics has curated and which are misconfigured, Jarboe added.
Given the number of issues discovered by the scan, it’s apparent that much work remains to be done in terms of educating developers on how to implement DevSecOps best practices. For example, more than a third (35%) of the drifts from settings created by access management (IAM) tools can also be traced back to tools that enable developers to manage infrastructure-as-code.
Other notable issues the scan discovered include hardcoded secrets that represent almost 10% of violations identified, with 23% of those corresponding to poorly configured managed services offerings.
The report also finds 35% of organizations using Helm to configure Kubernetes clusters on cloud services often fail to define role-based access controls (RBAC) at a granular level. Nealy half (48%) of Helm charts issues involved insecure defaults, such as improper use of the default namespace.
Finally, the report also notes that more complicated a cloud service, the longer it took to remediate issues. A load-balancing service, on average, takes 149 days to remedy.
Jarboe said while cloud service providers are mainly focused on making their platforms as accessible as possible, that capability most often comes at the expense of security. The report suggests cybersecurity teams need to monitor how any additional cloud services are employed. The report notes 51% of respondents using or evaluating serverless computing frameworks in production, with another 14% planning to use it within 12 months.
In theory, developers are assuming more responsibility for security as part of the overall shift left enabled by the adoption of DevSecOps best practices. Most developers, however, still don’t have access to the tools and training required to implement DevSecOps best practices consistently. As a result, software supply chains involving cloud services remain highly vulnerable.
Organizations are generally interested in increasing overall developer productivity by enabling them to configure infrastructure-as-code. In practice, those tools are making it possible for developers to create potential security issues at an alarming rate. More troubling still, Jarboe noted, the level of drift from security policies suggests change management issues are not being addressed in a meaningful way.
Cybersecurity teams have essentially emerged as the proverbial fire brigade that, as always, hopes to discover and remediate issues before there is a breach. Unfortunately, given the sheer number of security policy violations now regularly occurring in the cloud, the odds of a major cloud security breach are getting shorter with each new application deployment.