DevSecOps report: Cloud IT complexity creates 'immutable' security issues

Cloud IT deployments can be so complex that security issues cannot be fixed easily -- so they aren't -- raising the attack surface for enterprises.
Written by Tom Foremski, Contributor

Organizations open up to cloud IT. 

Photo: Tom Foremski

A report on DevOps security has found that only 4% of issues found in production are dealt with because of the increased complexity of cloud based IT systems is creating new security gaps.

The State of DevSecOps report was commissioned by Accurics — which specializes in addressing  IT security through infrastructure as code in order to better handle the increased complexity of IT in the cloud. 

The report found that the cloud-based IT stack has become very complex with the addition of technologies such as containers. Each additional layer of the IT stack adds new risks.

The authors state: "The crux of the issues lies in the fact that as the cloud native stacks become more complex, point cloud security solutions become inadequate and gaps in coverage start to emerge."

Containers are being used by 84% of the organizations surveyed and 41% are using serverless. The Kinsing malware attack is provided as an example where a simple misconfiguration of an API port allowed hackers to breach container clusters.

"Cloud infrastructure goes far beyond traditional network, storage, and compute; organizations are rapidly adopting new technologies such as serverless, containers, and service mesh," says Piyush Sharrma CTO at Accurics. "Cloud infrastructure is becoming increasingly immutable: it is never modified after it is deployed. If something needs to be changed, new infrastructure has to be provisioned through code."

But organizations are making errors when provisioning and managing infrastructure through code. About two-thirds of  reported security issues were exposed cloud storage services due to "egregious mistakes" that are easily avoidable by applying best practices. 

In 90% of cloud deployments the security baseline has shifted due to privileged users making changes without updating the code that was defined "to be the single source of truth."

The report is here: The State of DevSecOps

Editorial standards