Cloud complexity and rapid adoption reveal vulnerabilities and short cuts
Palo Alto’s Unit 42 report identifies misconfiguration as key issue with containers, and Ireland as a prime site
26 July 2019 | 0
Despite the reliability and availability boons of cloud platforms, inherent complexity, and speed of deployment and adoption have conspired to leave data vulnerable, according to a new report.
Palo Alto’s threat intelligence team, Unit 42 has released a new report entitled “Cloud Threat Risk Report”, which shows that in the first half of this year, some 21 “headline-grabbing incidents” involving public cloud platforms, saw almost two thirds (65%) of reported incidents involving cloud infrastructure were found to have resulted from misconfiguration, which in turn resulted in an increased chance of data leakage.
“If there’s one thing cloud providers have done extremely well,” says the report, “it’s innovate. Unfortunately, this torrent of new, innovative features — often released on a near-daily basis — has led to exponentially more complexity.
“Although many IT and security organisations conceptually understand the Shared Responsibility Model, our research shows there is a breakdown when putting this concept into practice.”
The report says that for an attacker looking to exfiltrate data and make a profit, common cloud misconfigurations make for easy targets. Over the last 18 months, from the time of writing the report, nearly two thirds (65%) of publicly disclosed cloud security incidents were due to misconfigurations, and 25% were due to account compromises.
The popularity of containers in enterprise architectures has brought issues of its own too, the report finds.
The Unit 42 research found that more than 40,000 unique containers have default configurations, allowing for quick identification. Many organisations also appear to use default-configured applications hosted on default containers. The researchers advise that security teams need to embrace containers, as they are key to enabling DevSecOps. However, it adds that teams also need to ensure that the applications and hosts are securely configured and monitored.
Container platforms, says the report, such as Docker, and orchestration platforms, such as Kubernetes, bring security concerns of their own when used in production environments. More than 40,000 container platforms exposed to the Internet were found to be using out-of-the-box configurations that allowed them to be identified using the simplest of search terms: the platforms’ names themselves, “Docker” and “Kubernetes”.
The report says that of some 23,354 Docker Containers that were exposed, China was the leading country with 6,015, followed by USA with 4,167 and Hong Kong with 1,960.
Kubernetes does not fare much better.
Of some 20,353 exposed Kubernetes containers, the USA was in the lead with 11,425, followed somewhat surprisingly by Ireland with 2,834, and Germany with 2,529.
The researchers discovered that both the containers and hosted services were using default configurations.
“Not all identified systems allowed for unauthenticated access to the data they contained, but a surprising number did. A select few of the default containers were also hosting default-configured applications, which allowed researchers to enter those systems without authentication. The apps, identified as ElasticSearch and Kibana, were found on both Docker and Kubernetes platforms.”
“Every container with sensitive data should be placed behind a properly configured security policy or external-facing firewall to prevent access from the Internet,” says the report.
The Unit 42 researchers advise that organisations should not keep default configurations for their container infrastructure. Instead, an organisation’s security policy should provide guidance on container configuration that is unique to that organisation and require authentication before any data can be retrieved.
The report advises that security teams need access to a real time view across virtual machines, containers, and serverless applications. “Maintaining visibility into diverse computer paradigms can be a challenge, but it is critical,” the researchers advise.
Security must be integrated with DevOps workflows to allow security teams to scale efforts in an automated way. “Developers have a lot of power in the cloud, and your security needs to be able to keep up”.
Applications and workloads must be hardened. Although some security requirements fall to CSPs as part of the Shared Responsibility Model, the report asserts, security teams are still responsible for configuration and compliance of individual workloads, containers, and functions, including platforms like Kubernetes.
Maintain runtime protection, says the report. “As your organisation’s cloud footprint grows, being able to automatically model and whitelist application behaviour becomes a powerful tool for securing cloud workloads against attacks and compromises.”
The full report is available here.