Accurics, the cloud cyber resilience specialist, released the latest edition of its "Accurics State of DevSecOps" report a few months ago. The report highlighted emerging security challenges as organizations adopt cloud native technologies. To better understand and find out more about these challenges and the security best practices to address them, VMblog reached out to industry expert, Om Moolchandani, co-founder and CTO of Accurics.
VMblog: The latest edition of the "Accurics State of DevSecOps" report highlights multiple
causes of risk. Can you give us some standout findings?
Om Moolchandani: What may be most distressing about the research report
is how little seems to change from one report to the next. Since the previous
one was released a few months prior, there's been a by-now-routine slew of cloud
data breaches: thousands of GBs of PII from dating apps, fitness brands,
payment software programs and more.
Even more worrisome is the certainty that problems will get
worse before they get better. The research found misconfigured cloud storage
services common in the vast majority of cloud deployments analyzed-up to a
staggering 93%-while most deployments also had at least one network exposure
through a security group left wide open. These two practices alone have been at
the center of over 200 breaches that
exposed 30 billion records in the past two years.
Further, despite the availability of popular tools
such as HashiCorp Vault and AWS Key Management Service (KMS), hardcoded private keys
were found in 72% of deployments. Half had unprotected credentials stored in
container configuration files-a major source of concern since 84% of
organizations use containers, with keys and credentials that could be
misappropriated. Finally, 31% of organizations have unused resources, which
could go undetected during security assessments.
The research also found that breach paths are
prevalent. For example, most organizations had hardcoded keys in their
configurations, but 41% had one or more hardcoded keys with high privileges
used to provision compute resources; a breach involving these keys will expose
all resources associated with them. Overly permissive IAM policies also
threatened most deployments, and while there may have been legitimate reasons
for the elevated privileges for a particular cloud resource, most organizations
failed to assess the downstream impact on other resources using the policies.
Earlier this year, Accurics' researchers determined that 90% of
organizations allow users to make changes to cloud native infrastructure in
runtime. So even if organizations exercise strong security hygiene when cloud
native infrastructure is initially defined, drifts in runtime will create
exposures over time.
Without Remediation as Code,
only 6% of issues causing risk are addressed. Organizations are embracing tools
to automatically detect risks, but risk resolution remains a largely manual
process, resulting in alert fatigue.
VMblog: Despite enterprises devoting significant resources to cloud
security, why are these issues still occurring?
Moolchandani: There are two main reasons. First, development velocity is
outpacing security velocity. Developers programmatically build and provision
infrastructure, but security teams are manually mitigating issues in runtime.
The unfortunate reality is that cloud breaches will continue to occur as long
as development velocity outpaces security velocity.
Second, operations teams make changes to cloud native
infrastructure in runtime, but security teams lack the necessary context on the
changes. Even when security teams detect an issue, they have to triage it
manually, which is not scalable.
VMblog: How should enterprises redesign security as cloud native
infrastructure such as containers, serverless, and service mesh become mainstream?
Moolchandani: Optimal cyber resilience mandates a fundamentally new
approach that enables self-healing by codifying security throughout the development lifecycle. This involves two principles:
- Risks in Infrastructure
as Code (IaC) must be programmatically detected and resolved before infrastructure is
provisioned, and the IaC must be established as a secure baseline.
- Cloud native
infrastructure must be continually monitored in runtime to identify any
changes and assess risk, so the secure posture can be maintained by
programmatically mitigating risks in the IaC.
VMblog: What are some methods to detect risk in cloud native
architectures?
Moolchandani: Automatically detecting policy violations and threats
across constantly changing cloud native infrastructure sounds vital but runs
the risk of creating alert fatigue. Moreover, detecting issues without
providing a way for them to be resolved only shifts the ‘noise' (alert fatigue)
from runtime to development.
Organization should detect policy violations based on
compliance standards or established security best practices such as CIS
Benchmarks, PCI DSS, HIPAA and others. Additionally, they should perform threat
modeling to identify breach paths and help prioritize fixes for high severity
violations. These are all capabilities enabled by Accurics.
The Accurics platform connects to code
repositories and scans IaC to detect risks based on violations against common
policy frameworks, as well as threat modeling to identify potential breach
paths. Developers can then be alerted about issues via integrations with
existing notification tools such as Slack, Jira, and email. The code to
remediate the issues is checked into the repository; developers only need to
review and merge the code to the main branch to resolve the issues. The
platform can also be configured to override the risky code with the
auto-generated code during the CI/CD phase to automatically mitigate risks.
Automation of detection and response of risks in cloud infrastructure enables
security at the speed of DevOps. Once all issues have been resolved in the
code, a secure baseline is established and the attack surface is significantly
reduced before cloud infrastructure is provisioned. The cloud infrastructure
must be monitored for changes in runtime, and policy base checks as well as
threat modeling should be leveraged to detect and resolve risks.
VMblog: Risk detection must be paired with resolution - how should
organizations approach the latter?
Moolchandani: Resolution must be programmatic. When a policy violation
occurs or a breach path is identified, the issue must be flagged, and code
should be automatically generated to resolve it, then provided to the developer
for review through existing development workflows.
The Accurics platform helps here too. It checks the
remediation code into the repository as a pull request, after which the
appropriate developer receives notifications via existing workflow tools. They
then review the request and merge the change into their master branch to accept
it. The platform can also be configured to override the risky code with the
auto-generated code during the CI/CD phase to automatically mitigate risks.
##