As a vast majority of companies make the rapid shift to work-from-home to stem the spread of COVID-19, a significant percentage of IT and cloud professionals are concerned about maintaining the security of their cloud environments during the transition.

The findings are a part of the State of Cloud Security survey conducted by Fugue, the company putting engineers in command of cloud security. The survey found that 96% of cloud engineering teams are now 100% distributed and working from home in response to the crisis, with 83% having completed the transition or in the process of doing so.

Managing cloud infrastructure remotely

Of those that are making the shift, 84% are concerned about new security vulnerabilities created during the swift adoption of new access policies, networks, and devices used for managing cloud infrastructure remotely.

Knowing your cloud infrastructure is secure at all times is already a major challenge"

What our survey reveals is that cloud misconfiguration not only remains the number one cause of data breaches in the cloud, the rapid global shift to 100% distributed teams is creating new risks for organisations and opportunities for malicious actors,” said Phillip Merrick, CEO of Fugue. “Knowing your cloud infrastructure is secure at all times is already a major challenge for even the most sophisticated cloud customers, and the current crisis is compounding the problem.”

Traditional security analysis tools

Because cloud misconfiguration exploits can be so difficult to detect using traditional security analysis tools, even after the fact, 84% of IT professionals are concerned that their organisation has already suffered a major cloud breach that they have yet to discover (39.7% highly concerned; 44.3% somewhat concerned). 28% state that they’ve already suffered a critical cloud data breach that they are aware of.

In addition, 92% are worried that their organisation is vulnerable to a major cloud misconfiguration-related data breach (47.3% highly concerned; 44.3% somewhat concerned). Over the next year, 33% believe cloud misconfigurations will increase and 43% believe the rate of misconfiguration will stay the same. Only 24% believe cloud misconfigurations will decrease at their organisation.

Preventing cloud misconfiguration

Preventing cloud misconfiguration remains a significant challenge for cloud engineering and security teams. Every team operating on cloud has a misconfiguration problem, with 73% citing more than 10 incidents per day, 36% experiencing more than 100 per day, and 10% suffering more than 500 per day. 3% had no idea what their misconfiguration rate is.

The top causes of cloud misconfiguration cited are a lack of awareness of cloud security and policies

The top causes of cloud misconfiguration cited are a lack of awareness of cloud security and policies (52%), a lack of adequate controls and oversight (49%), too many cloud APIs and interfaces to adequately govern (43%), and negligent insider behaviour (32%). Only 31% of teams are using open source policy-as-code tooling to prevent misconfiguration from happening, while 39% still rely on manual reviews before deployment.

Identity and access management permissions

Respondents cited a number of critical misconfiguration events they’ve suffered, including object storage breaches (32%), unauthorised traffic to a virtual server instance (28%), unauthorised access to database services (24%), overly-broad Identity and Access Management permissions (24%), unauthorised user logins (24%), and unauthorised API calls (25%). Cloud misconfiguration was also cited as the cause of system downtime events (39%) and compliance violation events (34%).

While malicious actors use automation tools to scan the internet to find cloud misconfigurations within minutes of their inception, most cloud teams still rely on slow, manual processes to address the problem. 73% use manual remediation once alerting or log analysis tools identify potential issues, and only 39% have put some automated remediation in place. 40% of cloud teams conduct manual audits of cloud environments to identify misconfiguration.

A reliance on manual approaches to managing cloud misconfiguration creates new problems, including human error in missing or miscategorising critical misconfigurations (46%) and when remediating them (45%). 43% cite difficulties in training team members to correctly identify and remediate misconfiguration, and 39% face challenges in hiring enough cloud security experts. Issues such as false positives (31%) and alert fatigue (27%) were also listed as problems teams have encountered.

Effectiveness of cloud misconfiguration

The metric for measuring the effectiveness of cloud misconfiguration management is MTTR

The metric for measuring the effectiveness of cloud misconfiguration management is Mean Time to Remediation (MTTR), and 55% think their ideal MTTR should be under one hour, with 20% saying it should be under 15 minutes. However, 33% cited an actual MTTR of up to one day, and 15% said their MTTR is between one day and one week. 3% said their MTTR is longer than one week.

With cloud misconfiguration rates at such high levels and a widespread reliance on manual processes to manage it, the costs are predictably high for cloud customers. 49% of cloud engineering and security teams are devoting more than 50 man hours per week managing cloud misconfiguration, with 20% investing more than 100 hours on the problem.

Helping prioritise remediation efforts

When asked what they need to more effectively and efficiently manage cloud misconfiguration, 95% said tooling to automatically detect and remediate misconfiguration events would be valuable (72% very valuable; 23% somewhat valuable). Others cited the need for better visibility into cloud infrastructure (30%), timely notifications on dangerous changes (i.e., “drift”) and misconfiguration (28%), and improved reporting to help prioritise remediation efforts (8%).

Cloud security is about preventing the misconfiguration of cloud resources such as virtual servers, networks, and Identity and Access Management (IAM) services. Malicious actors exploit cloud misconfiguration to gain access to cloud environments, discover resources, and extract data. The National Security Agency states that “misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services.”

Potentially risky misconfigurations

Fugue partnered with Propeller Insights to survey 300 IT, cloud, and security professionals

With the cloud, there’s no perimeter that can be defended, exploits typically don’t traverse traditional networks, and legacy security tools generally aren’t effective. Because developers continuously build and modify their cloud infrastructure, the attack surface is highly fluid and expanding rapidly. Organisations widely recognised as cloud security pioneers can fall victim to their own cloud misconfiguration mistakes.

With the Shared Responsibility Model, cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform are responsible for the ‘security of the cloud,’ and the customer is responsible for the ‘security in the cloud.’ While cloud providers can educate and alert their customers about potentially risky misconfigurations and good security practices, they can’t prevent their customers from making misconfiguration mistakes.

Fugue partnered with Propeller Insights to survey 300 IT, cloud, and security professionals, including DevOps engineers, cloud architects, security engineers, site reliability engineers (SREs), DevSecOps engineers, and application developers. Professionals from companies representing a variety of industries that use Amazon Web Services, Microsoft Azure, and Google Cloud Platform for cloud computing were surveyed.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

In case you missed it

COVID-19 worries boost prospects of touchless biometric systems
COVID-19 worries boost prospects of touchless biometric systems

Spread of the novel coronavirus has jolted awareness of hygiene as it relates to touching surfaces such as keypads. No longer in favour are contact-based modalities including use of personal identification numbers (PINs) and keypads, and the shift has been sudden and long-term. Both customers and manufacturers were taken by surprise by this aspect of the virus’s impact and are therefore scrambling for solutions. Immediate impact of the change includes suspension of time and attendance systems that are touch-based. Some two-factor authentication systems are being downgraded to RFID-only, abandoning the keypad and/or biometric components that contributed to higher security, but are now unacceptable because they involve touching. Touchless biometric systems in demand The trend has translated into a sharp decline in purchase of touch modality and a sharp increase in the demand for touchless systems, says Alex Zarrabi, President of Touchless Biometrics Systems (TBS). Biometrics solutions are being affected unequally, depending on whether they involve touch sensing, he says. Spread of the novel coronavirus has jolted awareness of hygiene as it relates to touching surfaces such as keypads “Users do not want to touch anything anymore,” says Zarrabi. “From our company’s experience, we see it as a huge catalyst for touchless suppliers. We have projects being accelerated for touchless demand and have closed a number of large contracts very fast. I’m sure it’s true for anyone who is supplying touchless solutions.” Biometric systems are also seeing the addition of thermal sensors to measure body temperature in addition to the other sensors driving the system. Fingerscans and hybrid face systems TBS offers 2D and 3D systems, including both fingerscans and hybrid face/iris systems to provide touchless identification at access control points. Contactless and hygienic, the 2D Eye system is a hybrid system that combines the convenience of facial technology with the higher security of iris recognition. The system recognises the face and then detects the iris from the face image and zeros in to scan the iris. The user experiences the system as any other face recognition system. The facial aspect quickens the process, and the iris scan heightens accuracy. TBS also offers the 2D Eye Thermo system that combines face, iris and temperature measurement using a thermal sensor module. TBS's 2D Eye Thermo system combines face, iris and temperature measurement using a thermal sensor module Another TBS system is a 3D Touchless Fingerscan system that provides accuracy and tolerance, anti-spoofing, and is resilient to water, oil, dust and dirt. The 2D+ Multispectral for fingerprints combines 2D sensing with “multispectral” subsurface identification, which is resilient to contaminants and can read fingerprints that are oily, wet, dry or damaged – or even through a latex glove. In addition, the 3D+ system by TBS provides frictionless, no-contact readings even for people going through the system in a queue. The system fills the market gap for consent-based true on-the-fly systems, says Zarrabi. The system captures properties of the hand and has applications in the COVID environment, he says. The higher accuracy and security ratings are suitable for critical infrastructure applications, and there is no contact; the system is fully hygienic. Integration with access control systems Integration of TBS biometrics with a variety of third-party access control systems is easy. A “middleware” subsystem is connected to the network. Readers are connected to the subsystem and also to the corporate access control system. An interface with the TBS subsystem coordinates with the access control system. For example, a thermal camera used as part of the biometric reader can override the green light of the access control system if a high temperature (suggesting COVID-19 infection, for example) is detected. The enrollment process is convenient and flexible and can occur at an enrollment station or at an administration desk. Remote enrollment can also be accomplished using images from a CCTV camera. All templates are encrypted. Remotely enrolled employees can have access to any location they need within minutes. The 3D+ system by TBS provides frictionless, no-contact readings even for people going through the system in a queue Although there are other touchless technologies available, they cannot effectively replace biometrics, says Zarrabi. For example, a centrally managed system that uses a Bluetooth signal from a smart phone could provide convenience, is “touchless,” and could suffice for some sites. However, the system only confirms the presence and “identity” of a smart phone – not the person who should be carrying it. “There has been a lot of curiosity about touchless, but this change is strong, and there is fear of a possible second wave of COVID-19 or a return in two or three years,” says Zarrabi. “We really are seeing customers seriously shifting to touchless.”

How to maximise your body temperature detection systems
How to maximise your body temperature detection systems

There are many companies jumping into selling temperature detection systems to the state, local governments, hospitals, airports and local businesses, but do they know how to drive one? Anyone can get behind a car and drive it into a wall by accident. The same can happen with a temperature detection system.  The first thing you should ask is “does my firm have a certified thermographer?”. If not, the firm are at risk of getting a low quality system that is being resold to make quick cash. Businesses that are doing this do not know how to operate it properly. Asking the right questions Secondly, you should ask whether the system is NDAA compliant. NDAA compliance means that your temperature detection equipment is protected by U.S. law. Does your system have a HSRP device (blackbody)? HSRP (Heat Source Reference Point) is a device that will allow the camera to detect the correct temperature a distance. Even if the room temperature does change throughout the day, treat it as a reference point for the camera to know the temperature at that distance. Can your system scan mutliple people at once? Can your system scan mutliple people at once? This is a bad question but often asked since most systems will say yes. For ease, everyone wants to scan many people at once, but the best practice according to FDA and CDC guidelines is to run one person at a time for best accuracy. Why? The HSRP (blackbody) device tells the camera what the correct temperature is at a given distance away from the camera. Every foot you are away from the HSRP device will be off by 0.1 degrees roughly. If you are in a room full of people, let's say 6, in view of the camera, every person that is not next to the HSRP device (5) will be given an inaccurate reading. Hence why it is so important to run the system correctly with just one person at a time. You will also need to follow the 6 feet rule. If you take that into consideration, one at a time at 6 feet apart, the device should tell you how you need to run the system. Sensitivity of thermal imaging Is your system’s sensor accurate enough? The FDA recommends an error of ±0.5°C or better. When looking for a system, make sure it is better than what they recommend. I would recommend ±0.3°C or better. Do not purchase a system over ±-.5°C degrees as you are doing yourself and your customers or employees an injustice.  Another thing to look at is how many pixels it can determine the temperature from. Some cameras can only tell the temperature of 6 points on the screen, whilst others can take a temperature reading from each pixel. Take a 384x288 camera, for example, which would be over 110,000 points of temperature taking on a single image.      Thermal cameras are very sensitive, so there are a lot of do’s and don’ts. For example, the system cannot see through glasses or hats. On the below image you can see a person with the visual camera on the right, whilst on the left side is through a thermal camera.  Both are pointing at the same area. It is clear the person on the left side is “invisible” to the thermal imaging camera. Demonstrating the sensitivity of thermal imaging If you are a company who wants to detect the temperature of customers or employees though the front door, window or a car window, the answer would be no. You need a clear line of sight without any interference to scan for temperatures. Other things you need to look out for is wind and distance away from the HSRP (blackbody) device. Air and distance away from the HSRP device will make the system less and less accurate the more space between the device. Air and distance away from the HSRP device will make the system less and less accurate Thermal imaging and COVID-19 If you have a clear line of sight, is there anything I need to know? The answer is yes. Reflective materials such as metal can interfere with your temperature readings. Reflective materials are easily picked up from the thermal side so pointing at a medal, glass or anything reflective can cause inaccuracies within the system. In the age of COVID-19, temperature detection systems are more important than ever. Organisations must get a system in place to help scan for high temperatures in order to reduce the spread of the virus.

What are the security challenges of the oil and gas market?
What are the security challenges of the oil and gas market?

Protecting the oil and gas market is key to a thriving economy. The list of security challenges for oil and gas requires the best technology solutions our industry has to offer, from physical barriers to video systems to cybersecurity. We asked this week’s Expert Panel Roundtable: what are the security challenges of the oil and gas market?