Misconfigurations are often introduced by cloud users either by actions or failure to implement available controls, are often left unremedied even when known, and take too long to be fixed when they are fixed.
Cloud Security Posture Management (CSPM) firm Aqua Security has analyzed the anonymized cloud configuration data of hundreds of its clients over a period of 12 months. The intent was to discover the size of the cloud misconfiguration problem, and the response from industry to known issues.
For its analysis, Aqua separated the group into SMBs (who used Aqua to scan up to just a few hundred cloud resources), and enterprises (who scanned anything from a few hundred to a few hundred thousand cloud resources. In general, and probably as a reflection of resources, it found that smaller companies fixed fewer of the known issues over the 12 month period, but did so at a faster rate than enterprises. Less than 1% of enterprises fixed all misconfiguration issues, while 8% of SMBs did so.
The size of the problem remains disturbing, despite all the warnings over the last few years. In January 2020, the NSA called misconfiguration the most common cloud vulnerability; which it described as having high prevalence but requiring low attacker sophistication.
Aqua found (PDF) that more than 50% of organizations receive alerts about misconfigured services with all ports open to anyone with internet access – but only 68% were fixed, taking an average of 24 days. More than 40% of the organizations had at least one misconfigured Docker API, that took an average of 60 days to fix.
It suggests that organizations, prompted into a move into the cloud by both the competitive need for business transformation and the rapid growth of remote working caused by the COVID-19 pandemic, have an underlying lack of understanding of IaaS and PaaS infrastructures in the cloud.
Partly, suggests Aqua, this is caused by the changing business processes that accompany a move into the cloud. “Cloud-native applications improve agility by giving more people access to define the environment, but we see many organizations move away from a centralized approach to security,” said Assaf Morag, lead data analyst with Aqua’s Nautilus research team. “The traditional model of permitting only a small, highly skilled team of security practitioners to make all configuration changes has given way to a modern, decentralized approach. Development teams are making configuration decisions or applying services, and that can have dramatic implications for the security posture of an organization’s production environment.”
This may also be the underlying cause behind the vast number of exposed data-containing storage buckets left in the cloud. The most publicly visible cloud misconfiguration issue occurs when a data owner leaves the data in storage that is open to the internet. We learn of new examples weekly. In fact, most major cloud service providers (CSPs) have initial storage default settings set to ‘private’ — but this seems to frequently be changed by the user to “0.0.0.0/0,” “::/0,” or all protocols and ports; presumably to improve ease of use. This may be when one developer spins up something like an S3 bucket, but decides he must open access to other remote developers – and in attempting to do so, he or she opens access for everyone.
Two of the mitigations for misconfigurations recommended by the NSA are improved access control (including the enforcement of MFA, least privilege and zero trust), and encryption. Aqua’s survey report examined both areas.
Encryption of data at rest is a service provided by the major CSPs. In AWS it must be enabled by the user, while Google Cloud Services and Azure provide it by default. Some companies simply don’t enable it, while other companies actively disable it. Aqua found that when this was reported as an issue, all organizations enabled or restored encryption – but it took an average of three months to implement the change.
Misconfigured access control is one of the biggest problems in cloud usage, and one of the most difficult to prevent. It cannot be done by the cloud provider. Of necessity, in the first access to a new cloud resource, the user is a superuser with maximum privileges. The CSP provides the controls necessary to implement much of the NSA’s recommendations, but too many companies fail to use them.
Aqua found that 60.8% of organizations had MFA disabled, and only 38.8% remediated the issue, taking an average of 65.2 days to do so. Nearly 18% had a deviation from the principle of least privilege, with only 40.7% of them correcting the issue in an average of 55.8 days. Unused credentials are an even bigger problem, involving 88.2% of organizations. This was remediated by a higher number of companies (73.3%), but they took an average of 76.3 days to do so.
It is clear that companies moving into or expanding their use of cloud services need to do so in a more controlled manner. It is somewhat shocking – although Aqua doesn’t say this – that many organizations who go to the trouble and expense of using a cloud security posture management firm to unearth security issues frequently at worst ignore the issues reported, and at best take a long time to remediate them.
“Whether an organization adopts a single or multi-cloud environment, it must be proactive in monitoring for and fixing service configuration issues that can unnecessarily expose it to threats,” said Ehud Amiri, Senior Director of Product Management. “Failure to do so will inevitably result in damage that can be much greater than the traditional OS or on-premises workloads.”
Aqua Security was founded in Ramat Gan, Tel Aviv, Israel in 2015 by Amir Jerbi (CTO) and Dror Davidoff (CEO). It achieved ‘unicorn’ status in March 2021 when it raised $135 million in a series E funding round.