Virtualization Technology News and Information
VMblog Expert Interview: Om Moolchandani of Accurics Talks Research Findings, Cloud Native Infrastructure Risks and Security Best Practices


Accurics, the cloud cyber resilience specialist, released the latest edition of its "Accurics State of DevSecOps" report a few months ago.  The report highlighted emerging security challenges as organizations adopt cloud native technologies.  To better understand and find out more about these challenges and the security best practices to address them, VMblog reached out to industry expert, Om Moolchandani, co-founder and CTO of Accurics.

VMblog:  The latest edition of the "Accurics State of DevSecOps" report highlights multiple causes of risk.  Can you give us some standout findings?

Om Moolchandani:  What may be most distressing about the research report is how little seems to change from one report to the next. Since the previous one was released a few months prior, there's been a by-now-routine slew of cloud data breaches: thousands of GBs of PII from dating apps, fitness brands, payment software programs and more. 

Even more worrisome is the certainty that problems will get worse before they get better. The research found misconfigured cloud storage services common in the vast majority of cloud deployments analyzed-up to a staggering 93%-while most deployments also had at least one network exposure through a security group left wide open. These two practices alone have been at the center of over 200 breaches that exposed 30 billion records in the past two years.

Further, despite the availability of popular tools such as HashiCorp Vault and AWS Key Management Service (KMS), hardcoded private keys were found in 72% of deployments. Half had unprotected credentials stored in container configuration files-a major source of concern since 84% of organizations use containers, with keys and credentials that could be misappropriated. Finally, 31% of organizations have unused resources, which could go undetected during security assessments.

The research also found that breach paths are prevalent. For example, most organizations had hardcoded keys in their configurations, but 41% had one or more hardcoded keys with high privileges used to provision compute resources; a breach involving these keys will expose all resources associated with them. Overly permissive IAM policies also threatened most deployments, and while there may have been legitimate reasons for the elevated privileges for a particular cloud resource, most organizations failed to assess the downstream impact on other resources using the policies.

Earlier this year, Accurics' researchers determined that 90% of organizations allow users to make changes to cloud native infrastructure in runtime. So even if organizations exercise strong security hygiene when cloud native infrastructure is initially defined, drifts in runtime will create exposures over time.

Without Remediation as Code, only 6% of issues causing risk are addressed. Organizations are embracing tools to automatically detect risks, but risk resolution remains a largely manual process, resulting in alert fatigue.

VMblog:  Despite enterprises devoting significant resources to cloud security, why are these issues still occurring?

Moolchandani:  There are two main reasons. First, development velocity is outpacing security velocity. Developers programmatically build and provision infrastructure, but security teams are manually mitigating issues in runtime. The unfortunate reality is that cloud breaches will continue to occur as long as development velocity outpaces security velocity.

Second, operations teams make changes to cloud native infrastructure in runtime, but security teams lack the necessary context on the changes. Even when security teams detect an issue, they have to triage it manually, which is not scalable.

VMblog:  How should enterprises redesign security as cloud native infrastructure such as containers, serverless, and service mesh become mainstream?

Moolchandani:  Optimal cyber resilience mandates a fundamentally new approach that enables self-healing by codifying security throughout the development lifecycle. This involves two principles:

  1. Risks in Infrastructure as Code (IaC) must be programmatically detected and resolved before infrastructure is provisioned, and the IaC must be established as a secure baseline.
  2. Cloud native infrastructure must be continually monitored in runtime to identify any changes and assess risk, so the secure posture can be maintained by programmatically mitigating risks in the IaC.
VMblog:  What are some methods to detect risk in cloud native architectures? 

Moolchandani:  Automatically detecting policy violations and threats across constantly changing cloud native infrastructure sounds vital but runs the risk of creating alert fatigue. Moreover, detecting issues without providing a way for them to be resolved only shifts the ‘noise' (alert fatigue) from runtime to development.

Organization should detect policy violations based on compliance standards or established security best practices such as CIS Benchmarks, PCI DSS, HIPAA and others. Additionally, they should perform threat modeling to identify breach paths and help prioritize fixes for high severity violations. These are all capabilities enabled by Accurics.

The Accurics platform connects to code repositories and scans IaC to detect risks based on violations against common policy frameworks, as well as threat modeling to identify potential breach paths. Developers can then be alerted about issues via integrations with existing notification tools such as Slack, Jira, and email. The code to remediate the issues is checked into the repository; developers only need to review and merge the code to the main branch to resolve the issues. The platform can also be configured to override the risky code with the auto-generated code during the CI/CD phase to automatically mitigate risks. Automation of detection and response of risks in cloud infrastructure enables security at the speed of DevOps. Once all issues have been resolved in the code, a secure baseline is established and the attack surface is significantly reduced before cloud infrastructure is provisioned. The cloud infrastructure must be monitored for changes in runtime, and policy base checks as well as threat modeling should be leveraged to detect and resolve risks.

VMblog:  Risk detection must be paired with resolution - how should organizations approach the latter?

Moolchandani:  Resolution must be programmatic. When a policy violation occurs or a breach path is identified, the issue must be flagged, and code should be automatically generated to resolve it, then provided to the developer for review through existing development workflows.

The Accurics platform helps here too. It checks the remediation code into the repository as a pull request, after which the appropriate developer receives notifications via existing workflow tools. They then review the request and merge the change into their master branch to accept it. The platform can also be configured to override the risky code with the auto-generated code during the CI/CD phase to automatically mitigate risks.


Published Monday, January 04, 2021 7:49 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2021>