Research suggests that automation can cut down on cloud control plane compromises

Policy as code approach counters 'cloud native' security risks

So-called ‘cloud native’ IT architectures are creating new threats for organizations, just as they look to update their technology infrastructure, security researchers have warned.

Over half of developers and security professionals expect the risks to their organizations to increase over the next year, according to research from developer security tools vendor Snyk. The drivers include cloud-native threats and, especially, control plane compromises.

Other potential problems include misconfigured cloud resources, as well as compromised credentials.

DON’T MISS CI/CD servers readily breached by abusing SCM webhooks, researchers find

Speaking at the recent International Cyber Expo in London, Ashish Rajan, principal cloud security advocate at Snyk, explained that security breaches are no longer only about data. Increasingly, criminal groups are also looking to steal or expose credentials, including cloud infrastructure credentials.

Rajan cited the recent breach at ride-hailing company Uber, which used social engineering as part of an attack that ultimately succeeded in gaining access to the company’s credentials for Amazon Web Services and Google Workspace.

“It’s not just a breach, a release of records, they also shared the AWS and Google Cloud credentials on the internet as well,” he said. “We are actually talking about data breaches creeping into our cloud environment or even broader production environments as well.”

Credentials targeted

Attackers are searching for credentials for cloud services by searching for ‘open S3 buckets’, blob storage or other open storage sites, as well as GitHub repositories, SSH [Secure Shell] and SSL vulnerabilities, and even posts by developers on sites such as Stack Overflow. “People are finding easier targets,” Rajan said.

This is forcing developers to pay more attention to both application security and cloud security, the speaker argued. Although organizations and their developers increasingly understand the need for application security, cloud security is too often treated separately rather than as part of the same problem, he asserted.

“In my previous company, we had a product security team and we had cloud people. But they weren’t on the same team. It didn't make sense. We were still protecting this one application,” said Rajan.

rrerwDevelopers often rely too heavily on the cloud provider’s security measures, says Snyk’s Ashish Rajan

Cloudy with a chance of breaches

And the situation is made more difficult still by the ‘shared responsibility’ model of cloud security. Too often, contended Rajan, developers and their managers rely on the cloud provider’s security measures, rather than ensuring that their infrastructure and code is secure.

According to Snyk’s 2022 State of Cloud Security Report, 80% of organizations experienced a “serious cloud sec incident” during the past year. Of those, 33% suffered a cloud data breach, and 26% a cloud data leak. A further 27% detected an intrusion into their environment.

Catch up on the latest DevSecOps-related news and analysis

The research also found that companies that use the cloud to host applications that had migrated from a data center were the most likely to report serious cloud security incidents: 89% did so during the past year.

That was higher than the total for organizations using the cloud to build and run in-house applications (73%) or those hosting third-party applications (78%).

Infrastructure as code

To counter this, Rajan suggests that developers should follow five fundamentals of cloud security. These are knowing the operating environment, focusing on prevention and secure design, empowering developers, using policy as code to align with security requirements and automate compliance, and ensuring security teams are “measuring what matters”.

To adhere to these fundamentals, organizations should be looking to ’shift left’ and build in security checks earlier in a project’s timeline. Firms should map out a cloud secure development lifecycle, using infrastructure as code (IaC) tools and CI/CD pipelines. And organizations can take this a step further by defining security policies within IaC.

This, Rajan said, removes, or at least reduces, one of the most common causes of cloud security failures: human error.

“What's the policy look like? Can I define the policy as IaC? That's where a lot of people have found that you can reduce credentials being leaked or over-privilege, or misconfiguration of resources, as well as having identity not in control,” he said. Policy as code allows organizations to apply their security rules, whether they use a single cloud platform, or two or even three, added Rajan.

RELATED Rancher stored sensitive values in plaintext, exposed Kubernetes clusters to takeover