Micro Focus is now part of OpenText. Learn more >

You are here

You are here

The state of cloud security: IaC becomes priority one

Josh Stella Co-founder and CTO, Fugue

About 40% of companies using the cloud suffered a serious cloud-based data leak or breach in the past 12 months, according to a new survey of DevOps, cloud, and security engineers conducted by cloud security company Fugue and software supply chain security company Sonatype. The findings are a part of the State of Cloud Security 2021 Report on the risks, costs, and challenges organizations and cloud teams are experiencing in 2021.

Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and mistakes, and eight out of 10 professionals surveyed in this report are worried that they’re at risk of a major data breach or security incident related to cloud misconfiguration. About two-thirds of respondents said they expect the problem to get worse or remain unchanged over the next year.

Here's what your team needs to know to get on top of cloud security in your organization.

Infrastructure-as-code security becomes a priority

The adoption of infrastructure-as-code (IaC) tools such as Terraform and AWS CloudFormation to provision and manage cloud environments has gone mainstream, with 90% of survey respondents saying they’re using at least some IaC. Because IaC configurations can contain dangerous errors, teams are recognizing the need to secure IaC templates prior to deployment.

Common solutions for IaC security include open-source tools such as the Regula policy engine (used by 14% of respondents)—which leverages the Cloud Native Computing Foundation’s Open Policy Agent (OPA)—and tooling provided by the cloud providers, such as AWS CloudFormation Guard (used by 29%). A third of respondents continue to rely on manual security reviews of IaC files, and 27% aim to catch misconfigurations post-deployment.

IaC security comes with its own costs, and half of cloud teams are investing 50 or more engineering hours per week to IaC security. Nearly half (45%) of respondents cite challenges with having to use different tools and policy frameworks for IaC security and cloud runtime security. Considering that the average salary of a cloud engineer is about $125,000 on the low end, the operational security costs can be considerable.

The high cost of managing the risk of cloud misconfiguration

Unlike application security, in which the risk of dangerous post-deployment runtime changes is low, cloud infrastructure environments are highly dynamic and subject to unapproved changes post-deployment, often called drift. The combination of deployment errors and post-deployment drift events is resulting in a high rate of misconfiguration incidents. Half of the teams surveyed are managing 50 or more cloud misconfigurations per day, and only 10% are remediating cloud vulnerabilities faster than hackers using automation discovery tools can find them.

Predictably, the need to respond to the sheer quantity of misconfiguration incidents requires an investment of resources, and half of cloud teams are devoting more than 50 engineering hours per week to address the problem—roughly the same investment required to manage cloud runtime security.

Cloud vulnerabilities: Causes and management challenges

Modern cloud environments are highly dynamic and complex, as are the compliance frameworks and enterprise policies needed to keep them secure. This presents challenges for teams responsible for the security of cloud environments and data, and this report lays these out, including alert fatigue (cited by 21%), false positives (27%), and human error (38%). The demand for cloud security expertise is intense, and 36% note hiring and retention challenges, while 35% struggle with training. Another 42% say that security is the primary factor impeding their velocity in the cloud, and 38% cite team friction over cloud security issues.

The No. 1 cause of cloud misconfiguration cited is the high number of cloud APIs and interfaces that need to be governed. 31% cited a lack of adequate controls and oversight over cloud operations and environments, and 27% noted that there is a lack of policy awareness on their team. About one-fifth (21%) said they are not checking IaC prior to deployment, and another 20% said they are not adequately monitoring their cloud environment for misconfiguration. Negligence on the part of team members was called out by 23% of respondents.

Nearly half (45%) reported that they are now operating a multi-cloud environment, which can compound the problem if teams are using a cloud service provider’s native security tooling, since that won't work in multi-cloud environments. And because each cloud platform is unique, an organization’s policies, controls, and expertise must effectively span the cloud platforms in use.

Where cloud security is headed

The survey asked what cloud professionals say they need to more effectively prevent and manage cloud security and compliance, and 47% said they need better visibility into their cloud environment and how it’s changing. The use of different policy frameworks for IaC and the cloud runtime creates issues for cloud teams, and 96% of respondents said that having a unified policy cloud security framework that works across the software development lifecycle would be valuable.

Not surprisingly, the need for more automation to help with cloud security and compliance was a common refrain, with 43% saying that automated and immediate cloud infrastructure audits and deployment approvals would help them move faster. Another 37% want automated cloud compliance assessments and reporting, and 35% need better guidance on remediating misconfiguration in cloud environments and IaC.

For this report, Fugue and Sonatype surveyed 300 cloud professionals, including cloud engineers, security engineers, DevOps professionals, and architects, to gain insights into the causes of dangerous cloud misconfigurations, the challenges teams are experiencing in preventing them, the impact cloud security has on teams, and what teams say they need to more effectively manage risks. 

Keep learning

Read more articles about: SecurityData Security