Cloud breaches are likely to increase in “velocity and scale” due to a prevalence of poor cybersecurity practices in cloud configurations that are creating exposures. This is according to the most recent The State of DevSecOps report by Accurics, which assesses cloud configuration practices that lead to breaches.
The study found that 93% of cloud deployments analyzed contained misconfigured services, while 91% of deployments have at least one network exposure where a security group is left wide open. Accurics noted that “these two practices alone have been at the center of over 200 breaches that exposed 30 billion records in the past two years.”
There were also other emerging practices that were observed to be creating exposures. This included the presence of hardcoded private keys in 72% of deployments. Additionally, half of deployments had unprotected credentials stored in container configuration files. The report added that “these keys and credentials could be used by unauthorized users to gain access to sensitive cloud resources.”
Close to a third (31%) of organizations were shown to have unused resources, with the primary cause being that resources are added to a default virtual private cloud (VPC) upon creation if a scope is not defined.
Commenting on the report, Matt Yonkovit, chief experience officer at Percona, said: “The best approach here is to have an audit to check that your best practices are in place and being followed. This can help show where security steps are missing, and you can then put them in place where needed. Over time, you can check that all your responsibilities around data backup, security and management are done correctly.
“It’s less about the department and more about the situation. Security problems can be caused by people who are underqualified, using complex and powerful tools they don’t fully understand or haven’t enough experience with. Easy access to technology can give users a false sense of security, and a misconception that because it is backed by a big name, it must be tested, trusted, and fail-safe.”
Greg Martin, general manager for security at Sumo Logic added: “Increasingly organizations are experiencing serious data breaches due to basic cloud vulnerabilities such as this study highlights. Developers and security teams need to focus on awareness and training for common cloud security issues and more importantly automation to audit and identify gaps and vulnerabilities as they arise. Cloud security is the new frontier and most organizations are significantly lagging behind.”
Last month it was revealed that 260,000 actors had their personal data exposed due to a cloud misconfiguration error on a server belonging to a New Orleans-based casting agency.