Personal health information and other sensitive data is left exposed as businesses overlook encryption and network security. The average lifespan of a cloud resource is 127 minutes. Traditional security strategies can't keep up with this rate of change, and 82% of databases in the public cloud are left unencrypted.
These findings come from the RedLock Cloud Security Intelligence (CSI) team's "Cloud Infrastructure Security Trends" report. RedLock today formally announced the CSI team and its inaugural report, which focuses on major vulnerabilities in public cloud environments.
The team analyzed more than one million cloud resources, processing 12 petabytes of network traffic, and dug for flaws in public cloud infrastructure. They found 4.8 million records, including protected health information (PHI) and personally identifiable information (PII), were exposed because best practices like encryption and access control aren't enforced.
"Imagine the day and age we live in," says RedLock cofounder and CEO Varun Badhwar. "You should be using encryption of data at-rest. There is no data out of the reach of bad actors if not secured correctly."
The problem isn't in cloud providers failing to secure data centers, but in organizations failing to secure applications, content, systems, networks, and users that use the cloud infrastructure. "That is where people are not aware, or not investing the right resources," he continues.
Researchers found of the 82% of databases left unencrypted in the public cloud, 31% were accepting inbound connection requests from the internet. More than half (51%) of network traffic in the public cloud is still on the default web port (port 80) for receiving unencrypted traffic. Nearly all (93%) public cloud resources have no outbound firewall rule, says Badhwar.
"You need to have control at the network, configuration, and user layers so it's hard for someone to get in, and harder for them to take your data out," Badhwar emphasizes, adding how weak network controls lead to trouble. "It's like saying, 'I'm going to leave my gates and front doors open, and hope I don’t get robbed,'" he says.
Developers and the team running operations in the cloud need to have secure access, and researchers discovered they often don't.
Businesses are moving to the cloud from on-prem environments where everything underwent a security review and sign-off process before being pushed to production, Badhwar continues. Two hours and 27 minutes, the average lifespan of a cloud resource, is a much smaller window.
"Within that timeframe, the customer has no clue how to get security right because developers are pushing code," says Badhwar. "None of the existing security tools work at the speed of change. Customers have no visibility into the changes pushed to production."
He calls the current cloud environment a "devops-oriented world" in which those who write the code are responsible for pushing it to production. The problem is, those who are making changes within cloud environments are not trained security professionals.
Their lack of expertise brings additional risk, especially with new tech like containers. RedLock researchers found 285 Kubernetes dashboards (web-based admin interfaces) deployed on Google Cloud, Microsoft Azure, and AWS that were not password-protected. There were many cases where Kubernetes systems held plaintext credentials to other critical systems, a vulnerability leaving key infrastructure exposed.
Security recommendations from the report include training developers on security practices for public cloud infrastructure, ensuring services are set to accept internet traffic on an as-needed basis, and setting a default "deny all" outbound firewall policy. You should also automatically discover database and storage resources as they are created in the public cloud, and monitor network traffic to ensure those resources are not directly interacting with internet services.