As organizations rush to automate more of their cloud infrastructure build processes, they need to brush up on cyber hygiene.

Organisations that adopt and create new infrastructure as code (IaC) templates without the help of the right security tools and processes are inadvertently missing rampant vulnerabilities in their platforms. The Unit 42 Cloud Threat Report for Spring 2020 by Palo Alto Networks has made three key findings:

  • Organisations are not embracing DevSecOps: More than 199,000 Infrastructure as Code (IaC) templates, the basic foundation of a cloud environment that allows organisations to build and run scalable applications dynamically, have high and medium severity vulnerabilities. Most IaC templates are created through a simple three-step process: design, code, and deploy, but they also need to be scanned for security issues by DevOps teams. When that fourth step is overlooked, it can unnecessarily expose an organisation’s cloud environment to attackers, leading to misconfigurations that are the leading cause of cloud data breaches. 
  • Poor cloud security practices are rampant: 43% of cloud databases are not encrypted, and 60% of cloud storage systems have logging disabled, which could lead to data breaches. With cloud logging disabled, attackers could enter a cloud storage system and organisations would never even notice. 
  • Cybercrime groups are using the cloud for cryptojacking: Adversary groups including Rocke, 8220 Mining Group and Pacha are stealing cloud resources from organizations to mine for cryptocurrency Monero, likely through public mining pools or their own mining pools. These attacks help these groups fund their cybercrime operations. 

While IaC offers organisations the benefit of enforcing security standards in a systematic way, research shows that this capability is not yet being harnessed. Matthew Chiodi, chief security officer of public cloud for Palo Alto Networks, noted: “It only takes one misconfiguration to compromise an entire cloud environment. We found 199,000 of them. The good news is infrastructure as code can offer security teams many benefits, such as enabling security to be injected early into the software development process and embedding it into the very building blocks of an organization’s cloud infrastructure.”

The report was conducted by Unit 42’s cloud research team using a combination of publicly available data and proprietary data from Palo Alto Networks.