Cloud misconfiguration still a big security problem, report finds
New research by infrastructure-as-code provider Accurics Inc. has found that poorly configured and managed cloud services – mostly resulting from the use of default security profiles or overly permissive configurations – continue to threaten the security of cloud development projects.
The research indicates that the misconfiguration issues that created headlines two years ago following numerous incidents of data being left exposed on public-facing servers have yet to be resolved.
At issue is default security settings, which vary by cloud platform. Developers can easily overlook the need to change default settings or make changes at the runtime level that are at odds with those at the IaC layer, leaving an opening for attack. Accurics conducted the research by scanning more than 1,800 security policies of cloud instances managed by its own products and open source configuration managers.
The findings – which have changed little since the company released its first report nearly a year ago – indicate that organizations still have work to do training their developers in the security nuances of IaC, an increasingly popular approach to running enterprise cloud environments that uses scripts to automate processes that were previously done by hand. Automation improves efficiency by allocating resources according to demand, but it also introduces risk because scripts can’t anticipate every potential failure and breach scenario.