The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig.
While zero trust is a top priority, data showed that least privilege access rights, an underpinning of zero trust architecture, are not properly enforced. Almost 90% of granted permissions are not used, which leaves many opportunities for attackers who steal credentials, the report noted.
The data was derived from an analysis of more than seven million containers that Sysdig customers are running daily. The report also considered data pulled from public data sources such as GitHub, Docker Hub, and the CNCF. Customer data across North and South America, Australia, the EU, UK, and Japan was analyzed for the report.
87% of container images have high or critical vulnerabilities
Almost 87% of container images were found to include a high or critical vulnerability, up from the 75% reported last year. Some images were found to have more than one vulnerability. Organizations are aware of the danger, but struggle with the tension of addressing vulnerabilities while maintaining the fast pace of software releases, Sysdig noted.
The reason vulnerabilities persist despite having a fix is because of bandwidth and prioritization issues. When 87% of container images running in production have a critical or high severity vulnerability, a DevOps or security engineer can log in and see hundreds, if not thousands of images with vulnerabilities.
“It takes time to go through the list and fix things. For most developers, writing code for new applications is what they are evaluated on, so every minute they spend on applying fixes is time not developing new applications that can be sold,” Crystal Morin, threat research engineer at Sysdig said.
Only 15% of critical and high vulnerabilities with an available fix are in packages loaded at runtime. By filtering out those vulnerable packages that are actually in use, enterprises can focus their efforts on a smaller fraction of the fixable vulnerabilities that represent true risk.
Java packages are the riskiest
On measuring the percentage of vulnerabilities in packages loaded at runtime by package type to gauge which language, libraries, or file types presented the most vulnerability risk, Sysdig found that Java packages were responsible for 61% of the more than 320,000 vulnerabilities in running packages. Java packages make up 24% of the packages loaded at runtime.
More vulnerabilities in packages exposed at runtime results in a higher risk of compromise or attack. Java has the greatest number of vulnerabilities exposed at runtime. While Java is not the most popular package type across all container images, it is the most common in use at runtime.
“For this reason, we believe that both the good guys and the bad guys focus on Java packages to get the most bang for their buck. Due to its popularity, bug hunters are likely more dedicated to Java language vulnerabilities,” Morin said.
While newer or less common package types may seem more secure, Morin said this could be because vulnerabilities haven’t been discovered or worse yet, they have been found, but have not been disclosed.
Applying the shift-left, shield-right concept
Shift-left is the practice of moving testing, quality, and performance evaluation early in the development lifecycle. However, even with the perfect shift-left security practice, threats can arise in production.
Organizations should follow a shift-left and shield-right strategy, Sysdig suggested. Shield-right security emphasizes mechanisms to protect and monitor running services. “Traditional security practices with tools like firewalls and intrusion prevention systems (IPS) aren’t enough. They leave gaps because they typically don’t provide insight into containerized workloads and the surrounding cloud-native context,” Morin said.
Runtime visibility can help organizations to improve shift-left practice. Once containers are in production, a feedback loop to correlate issues discovered in runtime back to the underlying code helps developers know where to focus. Static security testing can also be informed by runtime intelligence to pinpoint what packages are executed inside the containers that run the application.
“This enables developers to deprioritize vulnerabilities for unused packages and focus instead on fixing exploitable, running vulnerabilities. The goal of every cybersecurity program should be full lifecycle security,” Morin added.
Misconfiguration biggest culprit in cloud security incidents
While vulnerabilities are a concern, misconfigurations are still the biggest player in cloud security incidents and, therefore, should be one of the greatest causes for concern in organizations. By 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020, according to Gartner.
Data from Sysdig showed that only 10% of permissions granted to non-admin users were utilized when analyzed over a 90-day window.
Sysdig’s year-over-year analysis revealed that organizations are either granting access to more employees or maturing their Identity and Access Management (IAM) practices. The growth in human user population may be a by-product of moving more business into cloud environments or ramping up staffing due to business growth, the cybersecurity firm noted.
This year, 58% of identities on Sysdig customers’ cloud environment were found to be non-human roles, down from 88% last year.
Non-human roles are often used temporarily and if they are no longer used and are not removed, they provide easy access points for malicious actors. “Reason for the shift in types of roles could be that organizations’ cloud use is growing and with the adoption, more employees are being granted cloud accesses, therefore shifting the balance of human and non-human roles,” Morin said.
More than 98% of permissions granted to non-human identities have not been used for at least 90 days. “Oftentimes, these unused permissions are granted to orphaned identities, such as expired test accounts or third-party accounts,” Sysdig noted.
Applying least privilege principles to non-human identities
Security teams should apply least privilege principles to non-human identities in the same way they manage human identities. They should also remove unused test accounts wherever possible to prevent access risk. While this can be tedious to determine manually, in-use permission filters and automatically generated recommendations can make this process more efficient, Sysdig noted.
The least privilege principle is the same for non-humans as it is for humans. Organizations need to grant the minimum access that a human needs to do the job. The same applies to non-humans, such as applications, cloud services or commercial tools that need access to do their job. These operate similar to how applications on cell phone that request permissions to access contacts, photos, camera, microphone, and more.
“With that, we must also consider access management for these non-human entities. Granting excessive permissions and not regularly managing granted permissions provides additional initial access, lateral movement, and privilege escalation options for malicious actors,” Morin said.