© 2023 Prancer, Inc.


IaC and DevOps Report for Summer 2020

August 6, 2020

Accurics has just released the latest erosion of its “State of DevOps” reports for the summer of 2020. This report looks at the different types of security challenges that are emerging as more companies adopt cloud technology and Infrastructure as Code (IaC). While the report shows that cloud breaches have the potential to increase in number and scale in the coming months, the study also suggests concrete steps that can be taken to avoid these problems while still taking full advantage of IaC and DevOps.

Most Common Security Challenges

1- Cloud misconfiguration. While cloud misconfiguration isn’t necessarily an emerging threat, it is clear that companies have yet to adequately address this issue which means that it will occur more often and on a larger scale in the future. According to the study, a full 93% of cloud deployments that were studied contained at least one instance where an entire storage bucket was left completely exposed.

Businesses weren’t just failing to use multiple-authentication processes, they were leaving areas without any protection at all. This is somewhat surprising in a time when we now know about the importance of security and compliance and there are simple ways to protect sensitive data.

2- Routing misconfigurations. The report cites misconfigured routing rules as the biggest risk factor across the board. According to their analysis, in 100% of cases of deployment, changing one of the routing rules was enough to expose a subnet. Small challenges to the configuration resulted in sensitive data being compromised. Malicious actors could easily exploit these vulnerabilities.

3- Alert fatigue. One of the advantages of cloud technology, IaC and DevOps is that companies can automate alerts and be notified when there is any abnormal activity. When this is combined with manual monitoring and resolution, companies are able to quickly identify and fix problems. However, a constant stream of alerts can create fatigue and make IT teams less motivated to investigate every alert.

Remediation as Code has been introduced as a solution to alert fatigue. It allows teams to automatically generate the code necessary to address problems. In test cases, Remediation as Code is able to resolve 80% of all risks and help eliminate a constant stream of alerts.

4- Hardcoded keys. While there are plenty of key management tools and services available, businesses continue to use hardcoded keys. In many cases, unprotected credentials were stored and used in deployments. Since most businesses attach high-level privileges to these keys, this can create the opportunity for major breaches that have the potential to expose a long chain of resources. Simply using key vaults, avoiding hardcoded keys and rotating access keys can prevent this problem.

Fortunately, Infrastructure as Code (IaC) can help mitigate many of these problems. IaC allows businesses to build security code during the development phase before the infrastructure is provisioned. This is an effective way to reduce vulnerabilities and create a more automated, scalable and responsive system that is equipped to handle existing and emerging security threats. IaC can serve as a baseline that can always be deployed as necessary. If a significant change to the IaC needs to be made, it can be implemented quickly in a way that creates a new baseline. This provides a highly adaptable system that can prioritize security without slowing down the development pipeline.

For more information about IaC and DevOps, cloud technology, and how you can use these tools while still ensuring compliance and security, contact the experts at prancer today.