Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/20/2020
10:55 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Accurics' 'State of DevSecOps Report' Highlights Shift Toward Provisioning Cloud Infrastructure Through Code

Report analyzes current cloud-security approaches and outlines best practices.

Pleasanton, CA – May 19, 2020 – Accurics, the ‘immutable security’ specialist, today released the inaugural “Accurics State of DevSecOps” report, which features a deep analysis of current cloud security approaches and outlines best practices that organizations should consider as they reevaluate their approach to this critical discipline. Accurics—which officially launched last month with a platform that protects the full cloud native stack throughout the DevOps lifecycle in hybrid and multi-cloud environments—is the only company to eliminate security and compliance posture drift across deployed cloud infrastructure from a baseline defined during development.

“Our report clearly describes how current security practices are grossly inadequate for protecting transient cloud infrastructures, and why more than 30 billion records have been exposed through cloud breaches in just the past two years,” said Accurics Co-founder & CEO Sachin Aggarwal. “As cloud stacks become increasingly complex, with new technologies regularly added to the mix, what’s needed is a holistic approach with consistent protection across the full cloud stack, as well as the ability to identify risks from configuration changes to deployed cloud infrastructure from a baseline established during development. The shift to infrastructure as code enables this; organizations now have an opportunity to redesign their cloud security strategy and move away from a point solution approach.”

The Accurics report reveals that:

  • Misconfigurations of cloud native technologies across the full cloud native stack are increasing the attack surface, and being exploited by malicious actors.
  • There is a significant shift towards provisioning and managing cloud infrastructure through code. This offers an opportunity for organizations to embed security earlier in the DevOps lifecycle. However, infrastructure as code is not being adequately secured, thanks in part to the lack of tools that can provide holistic protection.
  • Even in scenarios where infrastructure as code actually is being governed, there are continuing problems from privileged users making changes directly to the cloud once infrastructure is provisioned. This creates posture drift from the secure baseline established through code.

Infrastructure as Code

Accurics’ research shows that securing cloud infrastructure in production isn’t enough. Researchers determined that only 4% of issues reported in production are actually being addressed. This is unsurprising since issue investigation and resolution at this late stage in the development lifecycle is challenging and costly.

A positive trend identified by the research is that there is a significant shift towards provisioning and managing cloud infrastructure through code to achieve agility and reliability. Popular technologies include Terraform, Kubernetes, Docker, and OpenFaaS. Accurics’ research shows that 24% of configuration changes are made via code, which is encouraging given the fact that many of these technologies are relatively new.

Infrastructure as code provides organizations with an opportunity to embed security earlier in the development lifecycle. However, research revealed that organizations are not ensuring basic security and compliance hygiene across code. The dangers are undeniable: high severity risks such as open security groups, overly permissive IAM roles, and exposed cloud storage services constituted 67% of the issues. This is particularly worrisome since these types of risks have been at the core of numerous high-profile cloud breaches.

The study also shows that even if organizations implement policy guardrails and security assessments across infrastructure as code, 90% of organizations allow privileged users to make configuration changes directly to cloud infrastructure after it is deployed. This unfortunately results in cloud posture drifting from the secure baseline established during development.

The Accurics report also recommends a series of best practices, including:

  • The importance of protecting the full cloud native stack, including serverless, containers, platform, and infrastructure
  • Embedding security earlier in the development lifecycle in order to reduce the attack surface before cloud infrastructure is provisioned, as well as monitor for incremental risks throughout its lifecycle
  • Most importantly, preventing cloud posture drift from the secure baseline established during development once infrastructure is provisioned

For a full copy of the report, please visit https://bit.ly/2X8YCP6.

About Accurics

Accurics enables organizations to innovate with confidence by protecting the full cloud native stack from code to production in hybrid and multi-cloud environments. It seamlessly scans infrastructure as code for misconfigurations, violations against common policy frameworks, and potential breach paths to eliminate risks before the cloud stack is provisioned. It also seamlessly monitors production cloud deployments for subsequent changes to the infrastructure that introduce risks and enables organizations to revert to a secure posture. With Accurics, organizations can ensure compliance, governance, and security across their full cloud native stack.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4035
PUBLISHED: 2020-06-03
In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to...
CVE-2020-13783
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
CVE-2020-13784
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
CVE-2020-13785
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
CVE-2020-13786
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.