By 2027, it’s anticipated that over 90% of companies worldwide will be utilizing containerized applications. Already in 2023, 63% of enterprises have embraced a cloud-native approach. Initially, the shift to cloud computing was expected to be a straightforward infrastructure update, where traditional security measures would remain relevant.

In the past, the primary concerns for IT and system administrators, developers, and operations teams were malware and exploits. Cybersecurity experts were accustomed to analyzing malware in targeted attacks and evaluating exploits through penetration tests, with these practices requiring minimal adjustments to their methodologies.

However, this perspective is outdated. Transitioning to the cloud and adopting container technologies bring a host of new variables, creating a complex interplay between operational demands and security concerns. Managing technical details like network configurations and strategic considerations such as compliance and time-to-market becomes more challenging. As a result, organizations are increasingly vulnerable to a subtle but significant threat: misconfigurations, which are quickly becoming a critical vulnerability in cloud environments.

Shifting Perspectives on Cloud Security

Cloud service providers (CSPs) have established a shared responsibility model to clarify the division of security duties between themselves and their clients. In this framework, CSPs handle the security "of the cloud," which includes safeguarding the underlying infrastructure, hardware, and software that support the cloud services. Conversely, customers are tasked with ensuring security "in the cloud," which involves protecting their own data, applications, and user access.

CSPs are responsible for securing the physical components of the cloud infrastructure, such as servers, storage systems, and network elements. This includes implementing firewalls, managing physical access controls, and conducting routine security audits. Depending on the specifics of the service and the shared responsibility model, CSPs may also handle the patching of operating systems.

Customers, however, must focus on protecting their own data within the cloud environment. This entails applying encryption, data loss prevention measures, and managing access controls. For instance, although the cloud platform typically provides encryption for data both at rest and in transit, customers need to ensure their data is encrypted before it is uploaded to the cloud and that they manage their encryption keys effectively.

Figure 1. How a cloud shared responsibility model defines the CSP and customer’s accountabilities

Different Approaches to Cloud Shared Responsibility Models

The shared responsibility model varies according to the cloud service type:

• Infrastructure as a Service (IaaS): In this model, the cloud service provider (CSP) supplies the fundamental infrastructure, including virtual machines, storage, and networking components. Customers are responsible for managing the operating systems, applications, and data within this infrastructure.

• Platform as a Service (PaaS): Here, the CSP takes care of the underlying infrastructure as well as the platform that supports applications. Customers focus on their data and the application logic. For instance, the CSP manages the servers up to the operating system level, along with networks and storage for container services, while customers handle the security of their application code and data.

• Software as a Service (SaaS): In the SaaS model, the CSP oversees nearly everything, from the infrastructure to the application itself. Customers are mainly responsible for their own data and user access. For example, in serverless computing scenarios, the CSP handles the entire stack, leaving customers to manage their data and control user access.

As the adoption of cloud services expands, the attack surface is undergoing significant changes. Physical attacks are now largely a thing of the past. Once customers begin using cloud services, the responsibility for safeguarding against physical vulnerabilities falls entirely on the cloud service provider (CSP). The CSP must prevent any unauthorized physical access that could potentially expose local vulnerabilities.

In the Software as a Service (SaaS) model, the CSP also manages and secures the application itself. This includes handling all operating system vulnerabilities and applying necessary patches, relieving customers from this responsibility.

When comprehensive security measures and patches are effectively implemented, the cloud services become significantly harder for attackers to exploit. As CSPs assume more security responsibilities, the overall attack surface diminishes. This shift enables CSPs to provide more robust and secure platforms, which in turn helps to minimize the risk of misconfigurations by customers.

Service exposure is another crucial aspect to consider. Most cloud service providers (CSPs) apply the principle of least privilege by default, meaning that services are initially restricted and customers must make explicit changes to increase their accessibility. This approach makes it more challenging to unintentionally expose a vulnerable application to the internet, as customers need to actively modify settings to make their services public.

However, this does not entirely eliminate the risk of vulnerabilities. This is particularly relevant in the Infrastructure as a Service (IaaS) model, where customers have greater control over their security configurations. They can choose to relax security settings, potentially exposing their applications and operating systems to both existing and newly discovered vulnerabilities.

Even so, when applications are built and operated within an IaaS environment, CSPs can enforce security best practices to mitigate risks. This can reduce the number of exploitable files and libraries and result in shorter-lived environments, which can help lessen the impact of vulnerabilities. Despite these measures, traditional security issues are still possible, so what are the remaining concerns?

A common thread in many cloud-related security incidents is misconfiguration.

When security policies designed to protect the system come into conflict with the need for usability and the complexity of configurations, customers often take shortcuts that bypass established best practices. A lack of cloud security expertise during migration can lead to relaxed security measures.

Consider the `chmod 777` command, for instance. This command provides excessive access permissions to resolve issues related to file permissions. Even experienced system administrators sometimes use `chmod 777` as a quick fix to ensure that a website functions properly, inadvertently allowing anyone to read, write, and execute the file or directory without regard for the security risks.

A similar issue arises with cloud services. Users often grant extensive access rights as a workaround for problems. This pragmatic approach might be driven by the need to support Agile development processes, facilitate testing and troubleshooting, automate workflows, or manage geographically dispersed teams that require broad access to accomplish their tasks. Additionally, when integrating data from various internal and external sources into a cloud-based system, restrictive permissions can become a significant obstacle.

Nonetheless, many enterprises overlook the critical need to balance operational agility with robust security measures. This oversight can stem from inadequate governance, a lack of security awareness, or the rapid pace of technological advancements. Often, whether it's a setting that grants unrestricted access or a broadly permissive identity access management (IAM) policy, the prevailing mindset is simply: "If it works, it works." This mindset, however, undermines security and leaves systems vulnerable to potential threats.

Examples of Cloud and Container Misconfigurations

Amazon Web Services (AWS) S3 buckets: A frequent error occurs when S3 bucket policies are configured to grant public read/write access for quick data sharing. This exposes the data to anyone online, significantly increasing the risk of data breaches.

IAM roles: Assigning "owner" or "admin" roles to all users in a cloud environment to bypass permission challenges can result in serious security vulnerabilities. This approach grants full access to every user, creating opportunities for accidental or malicious modifications.

It’s not unusual to find open-source projects on platforms like GitHub with deployment and setup files that grant overly broad permissions. Similarly, solutions shared on forums like Stack Overflow may include configuration files with permissions that are too lenient.

The problem worsens when vendors include insecure configuration files in their documentation and code samples. For instance, network configuration examples often suggest using 0.0.0.0 as the default network setting for services like APIs or daemons. Depending on the environment and firewall settings, this can leave systems accessible to the entire internet.

Figure 2. An example of how a configuration file provides excessive permission

Misconfigurations: A rising threat in cloud and container environments

The growing complexity of today’s cloud and container ecosystems is a major driver behind the increase in misconfigurations. Many organizations are now adopting multicloud approaches, further complicating the situation. According to a 2023 Cloud Detection and Response Survey by Enterprise Strategy Group (ESG), 69% of companies are using at least three different cloud service providers (CSPs), and 83% have already moved their production applications to the cloud. As this migration continues to speed up, each CSP’s unique configurations and security features make it difficult for security teams to maintain uniform security practices. As more businesses adopt multiple CSPs, the demand for scalable and automated cloud detection and response (CDR) tools becomes more pressing.

Figure 3. Organizations increasingly adopt a multicloud strategy with several concerns

Rapid deployment and DevOps practices lacking security focus

The emphasis on fast deployment cycles within DevOps workflows significantly heightens the risk of misconfigurations. According to the same ESG report, a large number of organizations have fully embraced DevOps, leading to frequent software updates that often bypass thorough security evaluations. This results in configurations optimized for performance but lacking in security, creating vulnerabilities that attackers can exploit.

The ESG survey also highlighted that 85% of organizations release new builds into production at least once a week within DevOps environments. This fast-paced deployment process increases the chances of misconfigurations slipping through. The accelerated software delivery, driven by business needs, often outpaces the ability of security teams to properly review and secure the configurations in time.

Here are several examples of typical misconfigurations in cloud and container environments:

• Unauthenticated API: APIs that lack authentication controls allow unauthorized users to access and potentially manipulate data.

• Open storage buckets: Cloud storage buckets that permit public access can inadvertently expose sensitive information.

• Default passwords in production: Deploying systems with default credentials in live environments leaves them vulnerable to attackers, as these credentials are often well-known and easily guessable.

• Unencrypted data in transit: Data that is transmitted across networks without encryption is vulnerable to interception, allowing attackers to capture sensitive information.

• Excessive permissions: Over-assigning privileges to users or services increases the potential for misuse or exploitation.

• Unrestricted inbound ports: Open ports that are not essential can provide attackers with a gateway to access the system.

• Misconfigured security groups: Security groups that are too permissive can permit unwanted traffic, exposing the system to unnecessary risks.

• Exposed management consoles: Management interfaces that are publicly accessible without sufficient access controls can become a target for attackers.

• Outdated software and dependencies: Running outdated software with known vulnerabilities makes systems susceptible to attacks that exploit those flaws.

• Lack of network segmentation: When networks are not properly segmented, attackers can move freely across systems, increasing the likelihood of widespread compromise.

These are the potential consequences when misconfigurations are exploited:

• Data breaches: Unauthorized individuals could access sensitive information, leading to the exposure or misuse of confidential data.

• Account hijacking: Attackers could take control of user accounts to perform malicious actions, such as stealing information or altering systems.

• Cryptojacking: Malicious actors could hijack cloud or container resources to mine cryptocurrency, causing performance degradation and increasing operational costs.

• Denial of service (DoS): Flooding services with requests could render them unavailable, preventing legitimate users from accessing critical systems.

• Data loss: Important information could be deleted or corrupted, potentially causing permanent loss of essential data.

• Compliance violations: Failure to safeguard sensitive information can result in non-compliance with regulatory requirements, leading to fines and legal consequences.

• Escalated privileges: Gaining unauthorized elevated access could allow attackers to infiltrate critical systems and further exploit resources.

• Service disruption: Compromised services could disrupt business operations, impacting productivity and workflow.

• Intellectual property theft: Attackers stealing proprietary data can misuse trade secrets, undermining a company's competitive advantage.

• Financial loss: The costs of responding to incidents, along with damage to brand reputation, can result in significant financial repercussions.

Attackers exploiting misconfigurations

Cybercriminals are well aware of how common misconfigurations are, and they actively take advantage of them. Research sheds light on the widespread exploitation of these vulnerabilities:

• Kong API gateway misconfigurations: Attackers have targeted misconfigured Kong API gateways, gaining unauthorized access to APIs and sensitive data. These attacks often stem from a lack of authentication and weak access controls, allowing malicious actors to manipulate API traffic and exfiltrate critical information.

• Apache APISIX exploitation: Another study focused on Apache APISIX revealed how attackers exploit default settings and poorly configured environments. Many security breaches occurred because administrators neglected to change default configurations or failed to properly secure API gateways, making systems highly vulnerable to infiltration.

Misconfigurations vs. Traditional Vulnerabilities

Misconfigurations are often more common than traditional vulnerabilities because they can occur with minimal effort. A single misconfiguration can compromise an entire application or dataset, while traditional vulnerabilities usually require more advanced techniques to exploit. According to the ESG report, almost every organization faced a cloud security incident in the past year, with many of these incidents linked to misconfigurations. Similarly, Telus’ 2023 “State of Cloud Security” report found that 74% of organizations encountered at least one major security incident due to misconfigurations.

In many cases, exploiting misconfigurations demands less technical expertise compared to traditional vulnerabilities. For example, an Amazon S3 bucket with improper settings can be accessed by anyone who has the URL. Conversely, exploiting a buffer overflow vulnerability involves a deep understanding of the software and its environment.

The Telus report also highlighted that nearly 50% of cloud security incidents are caused by preventable misconfigurations, such as failing to adjust default settings or granting excessive permissions. These problems often result from oversight or a lack of awareness about the security implications of certain configurations. The same study found that 95% of organizations regularly encounter such misconfigurations.

While zero-day exploits receive significant attention, they are less common as causes of cloud incidents compared to misconfigurations, which are far more prevalent and pose a greater risk to cloud and container environments.

igure 5. Organizations rated misconfigurations as the top concern for data leakage vectors

Both misconfigurations and traditional vulnerabilities can result in significant damage, but the reach of misconfigurations can be more extensive. High-profile incidents have shown that a misconfigured cloud storage service can lead to massive data breaches, potentially impacting millions of users. In contrast, traditional vulnerabilities might enable deep access to a system but often require further actions to achieve comparable damage. Misconfigurations can expose large volumes of data quickly and broadly, making their impact potentially more widespread.

Misconfigurations: Real-World Impact and Examples

One of the most prominent examples of a misconfiguration leading to a severe security breach is the Capital One incident in 2019. This breach resulted from a misconfigured web application firewall that allowed an attacker to access over 100 million customer records stored in Amazon S3. The exposed data included sensitive personal information, underscoring the critical need for diligent configuration management in cloud environments.

Another significant case involved Tesla, where a misconfigured Kubernetes console was left exposed without any password protection. This vulnerability allowed attackers to exploit Tesla’s cloud resources for cryptocurrency mining. The incident highlighted the crucial need for securing administrative interfaces and implementing robust access controls in container environments.

Misconfigurations can lead to substantial financial repercussions. Direct costs include fines for regulatory noncompliance and expenses related to incident response and remediation. Indirectly, organizations may suffer from diminished customer trust, brand damage, and lost business opportunities.

According to the Telus report, the average cost of a cloud security incident caused by misconfiguration is around USD $3.86 million. IBM's 2023 findings indicate that the average cost of a data breach in the US is USD $9.44 million, encompassing lost revenue, audit, and remediation fees. Between 2018 and 2019, data breaches resulting from cloud misconfigurations cost companies nearly USD $5 trillion.

Misconfigurations also have significant regulatory implications. Regulatory bodies are increasingly focused on cloud security practices. Regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA) impose stringent data protection and privacy requirements. Non-compliance with these regulations can lead to severe fines.

In the Capital One breach, the company faced an $80 million fine and agreed to a $190 million settlement. The ESG report notes that nearly 31% of organizations have reported compliance violations due to cloud security issues. Additionally, another survey revealed that 50% of security and DevOps professionals experienced increased downtime due to misconfigurations, compliance issues, and insecure APIs.

Resolving Cloud and Container Misconfigurations: Security Best Practices and Approaches

Automation and Continuous Monitoring

Manual configuration processes are susceptible to human errors, making automation essential for maintaining consistent security policies across all environments. Automating security settings helps standardize enforcement in development, testing, and production stages. Tools that automate configuration management can address issues like configuration drift—where environments deviate from their intended state over time due to manual changes or updates—ensuring alignment with security policies. Additionally, integrating automated security testing into the development cycle allows for early detection and correction of misconfigurations.

Automation and continuous monitoring offer immediate, consistent, and scalable methods to manage configurations and mitigate risks. It is increasingly common for enterprises to prioritize investment in data privacy and cloud-based security solutions. According to Gartner, spending on these technologies is expected to rise by more than 24% in 2024, driven by the growing adoption of cloud and AI technologies.

Security Training and Awareness

Effective security training and awareness are crucial for maintaining secure cloud and container environments. By implementing regular training programs and embedding security best practices into everyday operations, organizations can greatly minimize the likelihood of misconfigurations, improve incident response times, and better prepare their teams for evolving security threats. A survey conducted by the SANS Institute found that organizations with ongoing security awareness training saw a reduction in incidents by up to 70%.

According to Telus’ report, only 37% of companies have dedicated cloud cybersecurity personnel, while ISC2 has highlighted that 35% of organizations view cloud security as a significant skills gap. Our 2023 survey of cybersecurity professionals in the EU revealed that critical skills such as navigating compliance and regulatory requirements and managing security across various cloud environments are essential. Addressing these gaps through comprehensive training can significantly enhance an organization's security posture.

Implementing DevSecOps

Integrating security into the DevOps pipeline, known as DevSecOps, ensures that security measures are incorporated at every stage of the development lifecycle.

DevSecOps practices bridge the gap between rapid development and robust security. The GitLab 2024 Global DevSecOps Report reveals that 54% of development teams have adopted an integrated DevSecOps platform, resulting in notable gains in developer productivity and operational efficiency. Additionally, organizations that employ DevSecOps practices—such as automated security checks in CI/CD pipelines and continuous monitoring—are four times more likely to deploy multiple times per day, highlighting the efficiency these practices bring.

A Gartner Peer Community survey further supports these benefits, showing that 66% of organizations that adopted DevSecOps experienced fewer security incidents, while 58% saw improvements in their compliance scores. This underscores the value of integrating security into the development process to enhance both security and operational performance.

The Future of Cloud and Container Security

As enterprises continue their shift to cloud environments and adopt container technologies, AI and machine learning (ML) will increasingly become integral to security strategies. These technologies will enhance the detection of misconfigurations by identifying patterns and anomalies that may indicate security risks. AI and ML will also streamline the remediation of these issues, reducing the time and effort required to maintain secure configurations. For instance, DevSecOps tools are already leveraging AI and ML to automate misconfiguration and vulnerability scanning throughout the development lifecycle.

However, the integration of AI and ML brings its own set of challenges, including increased complexity and new security risks. Organizations will need to establish robust governance frameworks to securely integrate and manage AI and ML tools within their cloud environments.

Another trend on the horizon is the evolution of Cloud Security Posture Management (CSPM) tools. These tools are designed to tackle the complex and growing requirements for addressing misconfigurations in cloud-based systems, including IaaS, SaaS, and PaaS. CSPM tools can provide consolidated visibility across multiple cloud environments and automate the enforcement of security policies. While these capabilities are particularly beneficial for organizations using services from various providers, improper implementation of CSPM tools could introduce additional risks.

The adoption of zero-trust architecture is also becoming more prevalent. According to Gartner, 63% of global leaders have partially or fully implemented a zero-trust strategy. Zero trust operates on the principle that no user or device should be trusted by default and requires verification of every access request, regardless of its origin. This approach enhances security by demanding strict identity verification and continuous monitoring, thereby reducing the chances of attackers exploiting misconfigurations.

Despite its recognition as a best practice, zero-trust implementation is not without challenges. Gartner’s survey indicates that 35% of organizations faced significant disruptions during their zero-trust deployments. Furthermore, it is projected that by 2026, 75% of organizations will exclude unmanaged, legacy, and cyber-physical systems from their zero-trust strategies due to their unique and critical functions. These systems, often prone to misconfigurations, require additional security measures. To address these gaps, organizations will need to adopt comprehensive and flexible security solutions that extend protection to all aspects of their cloud and IT environments, including those that cannot be directly managed by zero-trust principles.

How DeepDefend Can Help Uncover Misconfigurations

DeepDefend is uniquely positioned to assist organizations in identifying and addressing misconfigurations in their cloud and container environments. Our Managed Detection and Response (MDR) service is designed to provide comprehensive visibility and proactive security measures to mitigate risks associated with misconfigured permissions and other vulnerabilities.

DeepDefend MDR leverages advanced analytics and threat intelligence to detect anomalies and potential misconfigurations. Our solution continuously monitors your environment, identifying patterns and deviations from expected configurations that may indicate security risks. By integrating DeepDefend’s MDR, you gain access to a team of security experts who not only detect these misconfigurations but also provide actionable insights and recommendations to remediate them effectively.

Our MDR service includes:

• Real-Time Monitoring: Constant surveillance of your cloud and container environments to spot misconfigurations and other security issues as they arise.

• Automated Alerts: Immediate notifications about detected anomalies or deviations from secure configurations, allowing for swift responses.

• Expert Analysis: In-depth analysis from our security professionals who interpret findings and advise on remediation steps.

• Continuous Improvement: Ongoing adjustments and optimizations to security policies and configurations based on evolving threats and best practices.

DeepDefend’s MDR ensures that misconfigurations are not only detected but also addressed efficiently, minimizing their impact on your operations and enhancing your overall security posture.

To see how DeepDefend can protect your organization from misconfigurations and other security risks, click the button below to get a demo.