McAfee released a report on Infrastructure-as-a-Service (IaaS) which states that IaaS is at great risk for Cloud-Native Breaches, with 99% of misconfiguration conflicts in public cloud ecosystems going undetected. Infrastructure as a service (IaaS) is a cloud computing model that caters virtualized computing resources over the internet. IaaS is one of the three foremost sections of cloud computing services, alongside software as a service (SaaS) and platform as a service (PaaS). An IaaS provider hosts the infrastructure components required for the development process traditionally present in an on-board data center, which includes servers, storage, and networking hardware, as well as virtualization. IaaS is an adequate option for workloads that are volatile, experimental or that switch unexpectedly.
Security is one of the overlooked aspects by most of the IaaS adopters assuming the cloud provider was handling it. As a result of this misconception, there have been multiple Cloud-Native Breaches (CNB) reported which are an opportunistic strike on data left open by faults in how the cloud ecosystem was configured or misconfigured. McAfee’s Cloud-Native: The Infrastructure-as-a-service (IaaS) Adoption and Risk report found that 99% of cloud misconfigurations are remaining undetected by companies.
The report was released on Tuesday after surveying 1,000 enterprise organizations all over the globe to ascertain the most consequential IaaS security issues. Cloud misconfigurations overshadowed the overall risk landscape, neglecting millions of customer records and intellectual assets vulnerable to theft. Cloud misconfiguration defines an error in how the cloud service is configured, which imports risk to the company and their data. Cloud infrastructure, or IaaS, is the most configurable cloud service which introduces a higher risk of misconfiguration than SaaS. The report shows that typically, only 1% of such errors are identified by the enterprises and even after identifying the misconfigurations, 27% of the problems remain unresolved.
“Cloud-native breaches breaches don’t surface like a normal malware-based attack, its a series of actions by an adversarial actor in which they ‘Land’ their attack by exploiting errors or vulnerabilities in a cloud deployment without using malware, ‘Expand’ their access through weakly configured or protected interfaces to locate valuable data, and ‘Exfiltrate’ that data to their own storage location.”
- Sekhar Sarukkai, vice president of engineering for cloud security at McAfee
All the big infrastructure providers like Amazon Web Services and Microsoft Azure have special services that support business cases for developing a multi-cloud environment, wherein multiple IaaS providers are used. IaaS adoption is a quick process. This is the major cause for practitioners failing to keep up during the breaches. The infrastructure evolves quickly in the cloud creating more space for the mistakes as code is delivered in continuous integration and continuous delivery practices (CI/CD). Nowadays, many applications are being built in the cloud, going to the cloud, but multi-cloud makes it challenging for organizations to keep control and perceptibility of all their IaaS architectures. Most of the organizations are opting multi-cloud, which will again enhance the difficulty of auditing configurations over multiple platforms
Security measures to protect IaaS structures
- Incorporate IaaS configuration auditing into your CI/CD process
Building and incorporating IaaS configuration auditing to CI/CD process help in decreasing number of misconfigurations that come into fruition. Developers should look into security tools that can be easily integrated with Jenkins, Kubernetes, etc to automate the audit and correction processes.
- Evaluate IaaS security practices
By checking the security practices using a framework like Land-Expand-Exfiltrate toward the entire chain of attack, businesses have a more immeasurable chance of preventing a breach before it gets out of hand.
- Invest in training security teams and cloud-native security tools
Some helpful security tools that can be practiced are Cloud Access Security Brokers (CASBs), Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platforms (CWPP). All the tools mentioned are made to work within DevOps and CI/CD processes, without duplicating on-premises data center security.