Cloud Threat Report Shows Need for Consistent DevSecOps - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

08:00 AM
Connect Directly

Cloud Threat Report Shows Need for Consistent DevSecOps

Organizations continue to make choices for the sake of speed in innovation, which can leave them unnecessarily vulnerable.

Developers might feel pressure to deploy in a hurry, yet skimping on security to save time can open the door to persistent risks. The findings of the latest Cloud Threat Report released by Unit 42 point to a rather unfortunate marriage of fastmoving, competitive strategies and lax attention to security policy. Unit 42 is the threat intelligence unit of cybersecurity provider Palo Alto Networks.

The necessity for robust security may seem all but academic as organizations migrate more workloads to the cloud. The trouble is those same organizations are driven by the need to stay ahead of their rivals, which can lead to exposure, says Matthew Chiodi, chief security officer for public cloud at Palo Alto Networks. “In our previous report, released last July, one of the big things we found was that 65% of publicly disclosed cloud security incidents were the result of customer misconfigurations,” he says. The latest report, he says, aims to address why the rate was so high.

Image: areebarbar - Adobe Stock
Image: areebarbar - Adobe Stock

Traditional, on-prem data centers might report fewer security incidents, Chiodi says, in part because of extensive change management and control. “To make a change in those environments, you typically have to go through multiple approvals,” he says. Such protocols might be relaxed in the cloud because of a continuous need to be relevant and stay ahead of the competition, Chiodi says. “CEOs are prioritizing growth and speed of innovation over cost. That push has caused DevOps teams to look for ways they can move quicker and push out apps faster.”

According to the cloud threat report, Unit 42’s research identified some 200,000 potential vulnerabilities in infrastructure as code templates. Further, more than 43% of cloud databases went unencrypted. Another 40% of cloud storage services did not have logging activated.

Chiodi says organizations often implement infrastructure as code templates because they let developers work faster. The issue, he says, is not with infrastructure as code templates, but with the haste of developers not performing security or risk checks on the templates, introducing vulnerabilities in their cloud environments.

Such misconfigurations of infrastructure, he says, can leave openings that cyber criminals seek for cryptojacking and other malicious efforts. Moreover, disabling logging in a cloud environment makes it harder to catch such bad actors, Chiodi says. “It’s almost impossible to prove or disprove that you’ve had a breach.”

Matthew ChiodiImage: Palo Alto Networks
Matthew Chiodi

Image: Palo Alto Networks

Despite efforts to educate developers on the importance of security, he says most developers believe their top priority is getting new features and functionality out as quickly as possible. “Yes, they’re supposed to engineer-in security but that doesn’t happen in many cases,” Chiodi says. “Many organizations have not yet embraced the concept of DevSecOps.”

Unit 42’s research shows that forward leaning organizations such as consumer companies want to operate with cloud-scale, serving a multitude of users, while maintaining security. Chiodi cites Netflix as a company that does so because it fully integrated development, security, and operations. He suggests that security teams should also embrace infrastructure as code to automatically put written security policies into code. “That way when a developer creates a new cloud environment, if it has security standards coded right in, every time they create from that template it will be the same every time,” he says. Conversely, Chiodi says a template with vulnerabilities will repeat those vulnerabilities each time it is applied.

As organizations continue to move quickly, he believes they need to improve visibility into what is running in the cloud, elevating the importance of enforcing security standards. “You can’t secure what you can’t see,” Chiodi says.

For more on DevSecOps and cloud security, check out these stories:

The Search for a Plan to Bolster DevSecOps Against Attacks

Q&A: Denim Group CTO on DevSecOps and Resolving Disconnect

Stepping into the Cloud Requires New IT Security Tactics

Joao-Pierre S. Ruth has spent his career immersed in business and technology journalism first covering local industries in New Jersey, later as the New York editor for Xconomy delving into the city's tech startup community, and then as a freelancer for such outlets as ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll