Accurics: Configuration errors are threat to cloud security

By Paddy Smith
A new report from Accurics says cloud security is threatened by poor configuration that leaves data exposed...

Poor configuration of cloud implementations poses a security threat, potentially leaving sensitive data exposed to public-facing servers.

That’s according to research from infrastructure-as-code provider Accurics, which scanned more than 1,800 security policies to come to its conclusion.

What are common cloud configuration errors?

The biggest problem, Accurics found, was default security settings. It’s vital to change these to prevent simple hacks, similar to hacking into someone’s router using the factory login details. Yet developers had either forgotten to override the default settings or made changes in the configuration that would leave the infrastructure vulnerable to attack.

What does the Accurics report recommend for cloud security?

The report recommends better training for developers in cloud infrastructure security, particularly where it is automated (via infrastructure as code, IaC). Automation is more efficient but does less to mitigate risk because the scripts cannot foresee every eventuality in every business.

Is it easy to fix?

Not at all. The average time taken to remedy cloud configuration errors, researchers found, was 25 days, and went up to 149 days. The report noted that the more critical the part of the infrastructure was, the longer it tended to take to fix. On top of that, scale played a part, with attackers able to exploit the advantages of hyperscale to their own ends. Om Moolchandani, chief technology officer at Accurics, said, ““The benefit of cloud is the ability to configure at scale and, unfortunately, that works to the attackers’ advantage as well.”

Are there other cloud security risks?

The report also identified ‘drift’, a phenomenon where adjusting the infrastructure security caused knock-on effects elsewhere in the security protocol. These were frequently unnoticed for long periods of time, as much as five years. It also flagged a security issue with Kubernetes container software, where access controls were misconfigured, leaving attack surfaces open.


Featured Articles

Advancing AI in Retail with Pick N Pay's Leon Van Niekerk

Pick N Pay's Head of Testing Leon Van Niekerk tells us at OpenText World Europe 2024 about its partnership with OpenText and how it plans to use AI

How Intel AI is Powering the 2024 Paris Olympic Games

Intel's AI technology is set to transform the Paris 2024 Olympic and Paralympic Games, enhancing experiences for athletes, spectators and global audiences

OpenText’s Muhi Majzoub: Engineering Platform Growth with AI

At OpenText World Europe 2024, we heard from EVP & Chief Product Officer Muhi Majzoub about OpenText’s latest product developments and future outlook

Top 100 Women 2024: Tanja Rueckert, Bosch - No. 6

Digital Transformation

Tech & AI LIVE London: One Month to Go

Digital Transformation

OpenText CEO Roundtable: The Future of Safe Enterprise AI

Digital Transformation