Identity & Access Management tools now the most common source of cloud misconfiguration bugs, report

IAM misconfiguration has played an increasing role in cloud breaches over the past few years, finds Sonatype/Fugue research

Cloud misconfigurations are an increasingly prevalent source of security and compliance vulnerabilities, according to the latest annual report by Sonatype and Fugue, The State of Cloud Security 2021.

Organisations are increasingly dependent on cloud services, with the variety of those services and their interactions creating complexity and making misconfigurations more likely. Forty-five per cent of respondents said they manage cloud environments that span different providers.

The most commonly cited source of misconfigurations, based on a survey of 300 cloud professionals, was Identity and Access Management (IAM), an area that has risen in importance during the pandemic with the need to manage remote workers.

"Because cloud IAM resourceseffectively serve as a new network, IAM misconfiguration has played an increasing role in cloudbreaches over the past few years as attackers use it to discover resources, move laterally, and accessdata for extraction," the report notes.

Security group and firewall misconfigurations were the next most common, although down from last year.

In joint third place was object storage and database access policies of the type which sometimes leave repositories of private data accessible from the public internet. The prevalence of this error had fallen slightly since last year, thanks to better alerting systems being put in place by cloud providers.

Settings for encryption in transit being disabled - or not enabled in the first place - was cited by a similar number of respondents.

Among the underlying causes of cloud misconfigurations, difficulty in managing an ever-growing number of APIs and interfaces was mentioned most, along with a lack of controls and oversight.

Responsibility for cloud security commonly falls across multiple functions (engineering, compliance, security, consultants) and the dividing lines may not always be clear.

Many of the databreaches that make the headlines are the result of the exploitation of cloud misconfiguration mistakes, the report notes, and with attackers using automated tools to sniff out and attack vulnerabilities, organisations should seek automate their cloud infrastructure and compliance settings wherever possible.