Cloud misconfigurations take an average 25 days to fix
On average it takes 25 days for companies to fix cloud infrastructure misconfigurations, according to a new report from cyber resilience specialist Accurics.
The research highlights security risks identified in cloud native environments. It shows that even organizations that establish a secure baseline when infrastructure is provisioned will experience 'drift' over time, when configuration changes occur in runtime, and these take an average of eight days to fix.
"Cloud native apps and services are more vital than ever before, and any risk in the infrastructure has critical implications," says Accurics Co-founder, CTO and CISO Om Moolchandani. "Our research indicates that teams are rapidly adopting managed services, which certainly increase productivity and maintain development velocity. However, these teams unfortunately aren't keeping up with the associated risks -- we see a reliance on using default security profiles and configurations, along with excessive permissions. Messaging services and FaaS are also entering a perilous phase of adoption, just as storage buckets experienced a few years ago. If history is any guide, we'll start seeing more breaches through insecure configurations around these services."
Other findings include that Kubernetes users who try to implement role-based access controls (RBAC) often fail to define roles effectively. This increases credential reuse and the chance of misuse -- in fact, 35 percent of the organizations evaluated struggle with this problem.
Another intriguing issue is that, of the organizations tested 10 percent actually pay for advanced security capabilities that they never enable.
While the average time to fix infrastructure misconfigurations is about 25 days, the most critical portions of the infrastructure often take the most time to fix -- for example, load-balancing services take an average of 149 days to remedy. Since all user-facing data flows through these resources this presents a serious security issue.
With new attacks emerging and ongoing risks continuing, cloud cyber resilience is now more important than ever, and configuration hygiene is critical. The full report is available from the Accurics site.