DevOps needs to morph into DevSecOps to close security threats in the cloud
Everyone is having trouble keeping cloud deployments secure, according to a new report from Oracle and KPMG. The “Threat Report 2020: Addressing Security Configurations Amidst a State of Constant Change” found that 92% of IT professionals do not think their organization is well prepared to secure public cloud services.
Two of the biggest security risks are admin accounts with too many privileges and poor management of cloud secrets, like keys, account credentials, and passwords.
The report also found that:
Cybersecurity teams are playing catch-up.
The basics of cloud security are still not understood.
Misconfigured cloud services are prevalent, problematic, and the top cloud security priority.
Retooling for the cloud starts with people and process.
Many are betting on machine learning as a foundational cybersecurity technology.
Here is a review of the problems with over-privileged accounts and advice on how implementing a DevSecOps approach to software development can close up security holes in cloud deployments.
Restricting privileges to boost security
A key takeaway of this year’s cloud threat report is privileged cloud credentials are the new entry point for bad actors. The Oracle/KPMG report found that 59% of respondents shared that team members with privileged cloud accounts have had those credentials compromised by a spear-phishing attack.
SEE: Google Cloud Platform: An insider’s guide (free PDF)
The report recommends implementing least-privilege access policies, especially in the multi-cloud environment. This is not easy due to the challenges of an abstracted environment that has “a matrix of many-to-many relationships between users, accounts, and clouds arguably complicates implementing least privilege, as evidenced by our research findings.”
At the same time, the survey found that over-privileged accounts are the top misconfigured cloud service with 37% of respondents selecting this issue as the biggest problem. This list also includes:
Exposed web servers and other types of server workloads 35%
Object store-resident data not appropriately secured via access control lists 34%
The lack of multi-factor authentication 33%
Disabled logging for capturing an audit trail of cloud activity 31%
The most commonly cited misconfigured cloud service, over-privileged accounts, is directly related to unprotected cloud secrets, another significant cloud threat identified by the report.
These privileged cloud credentials are in demand by attackers, given the high percentage of organizations that reported spear-phishing attacks designed to steal these credentials. Stolen privileged cloud credentials can be used to gain access to additional cloud secrets and, from there, many other services including data stores such as databases and object stores.
Respondents noted that secrets have been discovered in unprotected locations such as:
Stored on servers 59%
In our source code library 55%
Stored in a public cloud object stores 54%
In HTML code 31%
The report authors stated that this problem–storing cloud secrets in clear text in unprotected locations–is a byproduct of competing objectives: Dev teams are moving fast and not thinking about where they are placing secrets. Implementing least-privilege policies and using a hardware storage model or a key vault can solve that problem.
Improving security requires a cultural shift
To reduce the security threats in cloud deployments, security must become a business requirement and a shared responsibility instead of an afterthought, according to the report. Adopting a DevOps approach to software development is part of this transition. The report found that DevOps is no longer a methodology employed only by cloud-native companies. Survey respondents reported that DevOps is being broadly adopted across the board, with only 6% stating they have no plans to employ this method. DevOps is becoming mainstream, “with nearly one-third of respondents already employing DevOps, almost another quarter planning to do so in the next 12-24 months, and another one-third interested in doing so.”
The next phase of this evolution is integrating security into daily DevOps work. Companies are not as far along with this change as just over one-third of respondents said that their organization has already integrated security into their DevOps processes.
The report authors suggest that many companies are missing an opportunity to establish a culture of security from the design phase.
To build a secure DevOps program that automates cybersecurity processes and controls via integration with the continuous integration and continuous delivery (CI/CD) toolchain, organizations must shift security left into dev-time and build-time. These tools and practices support that transition:
Software development lifecycle (SDLC) tools, including interactive development environments (IDEs).
Source code management (SCM) repositories
Automated build tools
Agile project management systems
Collaborative messaging platforms
Forty-six percent of survey respondents said that the most important reason to use a DevSecOps approach was to back security into every stage of the continuous delivery tool chain. Collaboration and efficiency were the next most important factors with compliance coming in next.
This year’s report is the first in a five-part series, with follow-on reports offering insights into research findings on central cloud security topics, including:
Demystifying the cloud security shared responsibility model
The business impact of the modern data breach
Addressing cyber-risk and fraud in the cloud
The mission of the cloud-centric CIS
The data presented in this report was collected through an online survey conducted by Enterprise Strategy Group of 750 cybersecurity and IT professionals from private- and public-sector organizations in North America (US and Canada), Western Europe (UK and France), and Asia-Pacific (Australia, Japan, and Singapore) between Dec. 16, 2019, and Jan. 16, 2020. To qualify for this survey, respondents had to be responsible for evaluating, purchasing, and managing cybersecurity technology products and services and to have a high level of familiarity with their organization’s public cloud utilization. All respondents were provided an incentive to complete the survey.