- A review of "hundreds" of cloud deployments from customers and community showed 93% of reviewed infrastructure had misconfigured cloud storage services, according to a report from Accurics released Tuesday.
- The majority of deployments had "at least one network exposure where a security group was left wide open." Combined, misconfigurations and open security groups have led to 200 breaches in the past two years, according to the company.
- Hardcoded private keys were found in 72% of deployments, according to the report. Half of analyzed deployments kept unprotected credentials in container configuration files.
The impact of misconfigurations in enterprise cloud deployments can potentially spread beyond organizations and reach their clients and stakeholders. Companies hold treasure troves of user information, and malicious actors can exploit the flaws in order to extract the data.
These type of cybersecurity flaws led to one of the largest data breaches the financial sector saw last year: the Capital One breach. A firewall misconfiguration allowed a malicious actor reach company data, which was hosted on Amazon Web Services, according to the Department of Justice.
The breach impacted data from 106 million individuals in the U.S. and Canada, including their credit scores and payment history.
Widespread misconfiguration in cloud deployments can be traced back to the beginning of cloud. When many companies began their cloud journey, deployment automation technology wasn't widely available, said Om Moolchandani, co-founder and CTO at Accurics.
"What used to happen is that a lot of cloud deployments were made using custom scripts or they were probably done by hand," said Moolchandani. As companies needed to perform changes to the cloud, the changes were made directly in the cloud, which introduced risk and misconfigurations.
"There was no way to detect misconfiguration before," said Moolchandani. With the invention, and increased adoption, of infrastructure as code (IaC), "that possibility has become a reality," allowing some teams to spot and fix errors before the deployment is up and running.
What companies can look to in the near future in order to combat misconfigurations is the connection between DevOps practices and security. "Security can be given to the DevOps teams using DevOps process, without introducing new friction points."
Companies that adopt DevSecOps practices can resolve a flaw 12 times faster than a traditional organization, according to a report from Veracode.