As a vast majority of companies make the rapid shift to work-from-home to stem the spread of COVID-19, a significant percentage of IT and cloud professionals are concerned about maintaining the security of their cloud environments during the transition.

The findings are a part of the State of Cloud Security survey conducted by Fugue, the company putting engineers in command of cloud security. The survey found that 96% of cloud engineering teams are now 100% distributed and working from home in response to the crisis, with 83% having completed the transition or in the process of doing so.

Managing cloud infrastructure remotely

Of those that are making the shift, 84% are concerned about new security vulnerabilities created during the swift adoption of new access policies, networks, and devices used for managing cloud infrastructure remotely.

Knowing your cloud infrastructure is secure at all times is already a major challenge"

What our survey reveals is that cloud misconfiguration not only remains the number one cause of data breaches in the cloud, the rapid global shift to 100% distributed teams is creating new risks for organizations and opportunities for malicious actors,” said Phillip Merrick, CEO of Fugue. “Knowing your cloud infrastructure is secure at all times is already a major challenge for even the most sophisticated cloud customers, and the current crisis is compounding the problem.”

Traditional security analysis tools

Because cloud misconfiguration exploits can be so difficult to detect using traditional security analysis tools, even after the fact, 84% of IT professionals are concerned that their organization has already suffered a major cloud breach that they have yet to discover (39.7% highly concerned; 44.3% somewhat concerned). 28% state that they’ve already suffered a critical cloud data breach that they are aware of.

In addition, 92% are worried that their organization is vulnerable to a major cloud misconfiguration-related data breach (47.3% highly concerned; 44.3% somewhat concerned). Over the next year, 33% believe cloud misconfigurations will increase and 43% believe the rate of misconfiguration will stay the same. Only 24% believe cloud misconfigurations will decrease at their organization.

Preventing cloud misconfiguration

Preventing cloud misconfiguration remains a significant challenge for cloud engineering and security teams. Every team operating on cloud has a misconfiguration problem, with 73% citing more than 10 incidents per day, 36% experiencing more than 100 per day, and 10% suffering more than 500 per day. 3% had no idea what their misconfiguration rate is.

The top causes of cloud misconfiguration cited are a lack of awareness of cloud security and policies

The top causes of cloud misconfiguration cited are a lack of awareness of cloud security and policies (52%), a lack of adequate controls and oversight (49%), too many cloud APIs and interfaces to adequately govern (43%), and negligent insider behavior (32%). Only 31% of teams are using open source policy-as-code tooling to prevent misconfiguration from happening, while 39% still rely on manual reviews before deployment.

Identity and access management permissions

Respondents cited a number of critical misconfiguration events they’ve suffered, including object storage breaches (32%), unauthorized traffic to a virtual server instance (28%), unauthorized access to database services (24%), overly-broad Identity and Access Management permissions (24%), unauthorized user logins (24%), and unauthorized API calls (25%). Cloud misconfiguration was also cited as the cause of system downtime events (39%) and compliance violation events (34%).

While malicious actors use automation tools to scan the internet to find cloud misconfigurations within minutes of their inception, most cloud teams still rely on slow, manual processes to address the problem. 73% use manual remediation once alerting or log analysis tools identify potential issues, and only 39% have put some automated remediation in place. 40% of cloud teams conduct manual audits of cloud environments to identify misconfiguration.

A reliance on manual approaches to managing cloud misconfiguration creates new problems, including human error in missing or miscategorizing critical misconfigurations (46%) and when remediating them (45%). 43% cite difficulties in training team members to correctly identify and remediate misconfiguration, and 39% face challenges in hiring enough cloud security experts. Issues such as false positives (31%) and alert fatigue (27%) were also listed as problems teams have encountered.

Effectiveness of cloud misconfiguration

The metric for measuring the effectiveness of cloud misconfiguration management is MTTR

The metric for measuring the effectiveness of cloud misconfiguration management is Mean Time to Remediation (MTTR), and 55% think their ideal MTTR should be under one hour, with 20% saying it should be under 15 minutes. However, 33% cited an actual MTTR of up to one day, and 15% said their MTTR is between one day and one week. 3% said their MTTR is longer than one week.

With cloud misconfiguration rates at such high levels and a widespread reliance on manual processes to manage it, the costs are predictably high for cloud customers. 49% of cloud engineering and security teams are devoting more than 50 man hours per week managing cloud misconfiguration, with 20% investing more than 100 hours on the problem.

Helping prioritize remediation efforts

When asked what they need to more effectively and efficiently manage cloud misconfiguration, 95% said tooling to automatically detect and remediate misconfiguration events would be valuable (72% very valuable; 23% somewhat valuable). Others cited the need for better visibility into cloud infrastructure (30%), timely notifications on dangerous changes (i.e., “drift”) and misconfiguration (28%), and improved reporting to help prioritize remediation efforts (8%).

Cloud security is about preventing the misconfiguration of cloud resources such as virtual servers, networks, and Identity and Access Management (IAM) services. Malicious actors exploit cloud misconfiguration to gain access to cloud environments, discover resources, and extract data. The National Security Agency states that “misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services.”

Potentially risky misconfigurations

Fugue partnered with Propeller Insights to survey 300 IT, cloud, and security professionals

With the cloud, there’s no perimeter that can be defended, exploits typically don’t traverse traditional networks, and legacy security tools generally aren’t effective. Because developers continuously build and modify their cloud infrastructure, the attack surface is highly fluid and expanding rapidly. Organizations widely recognized as cloud security pioneers can fall victim to their own cloud misconfiguration mistakes.

With the Shared Responsibility Model, cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform are responsible for the ‘security of the cloud,’ and the customer is responsible for the ‘security in the cloud.’ While cloud providers can educate and alert their customers about potentially risky misconfigurations and good security practices, they can’t prevent their customers from making misconfiguration mistakes.

Fugue partnered with Propeller Insights to survey 300 IT, cloud, and security professionals, including DevOps engineers, cloud architects, security engineers, site reliability engineers (SREs), DevSecOps engineers, and application developers. Professionals from companies representing a variety of industries that use Amazon Web Services, Microsoft Azure, and Google Cloud Platform for cloud computing were surveyed.

Download PDF version Download PDF version

In case you missed it

What Is The Role Of Gunshot Detectors In The Security Ecosystem?
What Is The Role Of Gunshot Detectors In The Security Ecosystem?

Sadly, active shooter incidents have become so common that they no longer grab big headlines or dominate the news cycle. A near-constant cascade of active shooter events persists in the background of our collective consciousness, a familiar drumbeat that is no less tragic because it is continuous. As more active shooter incidents occur, the security marketplace continues to implement solutions to minimize the impact, including gunshot detection. We asked this week's Expert Panel Roundtable: What is the role of gunshot detectors in today’s security ecosystem? 

Mythic’s AI Chip Leverages Analog Technology For Faster Speed, Less Power
Mythic’s AI Chip Leverages Analog Technology For Faster Speed, Less Power

For security professionals who thought analog systems were a thing of the past, a new approach by Mythic Inc. demonstrates that everything old is new again. Using older technology in a new way, the Mythic M1076 Analog Matrix Processor leverages analog computer chips from a previous generation to drive new levels of artificial intelligence (AI) performance with lower power requirements.  Low power and high speed  Mythic provides power-efficient AI at the edge, including inside video cameras. The design combines embedded flash memory with analog computing power to achieve faster AI processing, supporting up to 25 trillion operations per second (TOPS), with the very-low power levels conducive to edge devices. The scalable, single-chip analog compute-in-memory architecture provides high-performance inference without consuming the power and energy that digital solutions require to move data at high speeds between separate processing and storage components. Single-chip design  High-resolution video analytics with low latency, comparable to a GPU, is provided by AI, but at 10 times less power “We use a different approach to processing and storage by resurrecting analog technology for faster computing power in a limited size and cost,” says Tim Vehling, Senior Vice President, Product and Business Development at Mythic. The Mythic chip solves several design challenges for camera manufacturers. The single-chip design with no DRAM (dynamic random-access memory) caters to limited space requirements. High-resolution video analytics with low latency, comparable to a graphics processing unit (GPU), is provided by AI, but at 10 times less power than a typical system on chip (SoC) or GPU. The typical 3-4-watt power draw is consistent with a limited power budget for power over Ethernet (PoE). Passive heat dissipation does not require active thermal management. Applications of the analog chip For video applications, the chip provides faster speed to accommodate more cameras, more resolution, and more details in images. In addition to providing scalability, the chip supports a variety of host platforms, including X86, NVIDIA Jetson Xavier NX/TX2, Qualcomm RB5, and NXP i.MX8M. It supports Linux Ubuntu 18.04 and Linus for Tegra (NVIDIA) operating systems. The chips can plug into NVIDIA or Qualcomm platforms to enhance AI capabilities for a variety of applications. The chip also has utility in other deployments, including drones, where Mythic works with the Qualcomm RBS platform to enable multi-thousand-dollar drones for larger applications. Integration into devices The chip can augment the capabilities of a CPU without replacing it or completely redesigning a product The chip handles image sensing, multiple cameras, radar, and lidar sensors, in addition to flight navigation, control, and communication, in addition to in-flight analytics. Inside NVRs, Mythic chips provide high-level processing at a fraction of the cost, says Vehling. Integration of the technology into cameras and other products is simple – it simply plugs into an M.2 expansion slot, and the software is downloaded to drive the AI algorithms. The chip can augment the capabilities of a CPU without replacing it or completely redesigning a product, in effect providing an instantaneous improvement in performance. No shortage Because Mythic uses older technology, there are no shortages compared to some later-generation chips. The 40-nanometer chips are a mature technology, manufactured in Japan, while newer processors are smaller at 5 or 7 nanometers. The newer chips are more likely to be in short supply. The Mythic M1076 chip is currently being evaluated but is not yet in production. The company expects to be shipping the product in the second half of 2022, and it will be sold to camera manufacturers and other OEMs to be incorporated into their products.  Adds value inside cameras For security end-users, Mythic’s AI chips will add new value inside video cameras and other equipment in terms of better performance, small size, and less power. For integrators, the technology will expand equipment options, such as providing high-level analytics in cameras while requiring only 2 to 3 watts of power, consistent with the use of PoE.

Why Face Recognition As A Credential Is The Ideal Choice For Access Control?
Why Face Recognition As A Credential Is The Ideal Choice For Access Control?

In the field of access control, face recognition has come a long way. Once considered too slow to authenticate people's identities and credentials in high traffic conditions, face recognition technology has evolved to become one of the quickest, most effective access control identity authentication solutions across all industries. Advancements in artificial intelligence and advanced neural network (ANN) technology from industry leaders like Intel have improved the accuracy and efficiency of face recognition. However, another reason the technology is gaining traction is due to the swiftly rising demand for touchless access control solutions that can help mitigate the spread of disease in public spaces. Effective for high volumes Face recognition eliminates security risks and is also virtually impossible to counterfeit Modern face recognition technology meets all the criteria for becoming the go-to solution for frictionless access control. It provides an accurate, non-invasive means of authenticating people's identities in high-traffic areas, including multi-tenant office buildings, industrial sites, and factories where multiple shifts per day are common. Typical electronic access control systems rely on people providing physical credentials, such as proximity cards, key fobs, or Bluetooth-enabled mobile phones, all of which can be misplaced, lost, or stolen. Face recognition eliminates these security risks and is also virtually impossible to counterfeit. Affordable biometric option Although there are other biometric tools available, face recognition offers significant advantages. Some technologies use hand geometry or iris scans, for example, but these options are generally slower and more expensive. This makes face recognition a natural application for day-to-day access control activities, including chronicling time and attendance for large workforces at construction sites, warehouses, and agricultural and mining operations. In addition to verifying personal credentials, face recognition can also identify whether an individual is wearing a facial covering in compliance with government or corporate mandates regarding health safety protocols. Beyond securing physical locations, face recognition can also be used to manage access to computers, as well as specialized equipment and devices. Overcoming challenges with AI So how did face recognition become so reliable when the technology was once dogged by many challenges, including difficulties with camera angles, certain types of facial expressions, and diverse lighting conditions? Thanks to the emergence of so-called "convolutional" neural network-based algorithms, engineers have been able to overcome these roadblocks. SecurOS FaceX face recognition solution FaceX is powered by neural networks and machine learning which makes it capable of authenticating a wide range of faces One joint effort between New Jersey-based Intelligent Security Systems (ISS) and tech giant Intel has created the SecurOS FaceX face recognition solution. FaceX is powered by neural networks and machine learning which makes it capable of authenticating a wide range of faces and facial expressions, including those captured under changing light, at different resolution levels, and varying distances from the video camera. Secure video management system A common face recognition system deployment begins with IP video cameras that feed footage into a secure video management system connected to a video archive. When the software initially enrolls a person’s face, it creates a "digital descriptor" that is stored as a numeric code that will forever be associated with one identity. The system encrypts and stores these numeric codes in a SQL database. For the sake of convenience and cost savings, the video server CPU performs all neural network processes without requiring any special GPU cards. Unique digital identifiers The next step involves correlating faces captured in a video recording with their unique digital descriptors on file. The system can compare newly captured images against large databases of known individuals or faces captured from video streams. Face recognition technology can provide multi-factor authentication, searching watchlists for specific types of features, such as age, hair color, gender, ethnicity, facial hair, glasses, headwear, and other identifying characteristics including bald spots. Robust encryption SED-compatible drives rely on dedicated chips that encrypt data with AES-128 or AES-256 To support privacy concerns, the entire system features an encrypted and secure login process that prevents unauthorized access to both the database and the archive. An additional layer of encryption is available through the use of Self-Encrypting Drives (SEDs) that hold video recordings and metadata. SED-compatible drives rely on dedicated chips that encrypt data with AES-128 or AES-256 (short for Advanced Encryption Standard). Anti-spoofing safeguards How do face recognition systems handle people who try to trick the system by wearing a costume mask or holding up a picture to hide their faces? FaceX from ISS, for example, includes anti-spoofing capabilities that essentially check for the "liveliness" of a given face. The algorithm can easily flag the flat, two-dimensional nature of a face mask, printed photo, or image on a mobile phone and issue a "spoof" alarm. Increased speed of entry Incorporating facial recognition into existing access control systems is straightforward and cost-effective Incorporating facial recognition into existing access control systems is straightforward and cost-effective. Systems can operate with off-the-shelf security cameras and computers. Users can also leverage existing infrastructure to maintain building aesthetics. A face recognition system can complete the process of detection and recognition in an instant, opening a door or turnstile in less than 500ms. Such efficiency can eliminate hours associated with security personnel checking and managing credentials manually. A vital tool Modern face recognition solutions are infinitely scalable to accommodate global enterprises. As a result, face recognition as a credential is increasingly being implemented for a wide range of applications that transcend traditional access control and physical security to include health safety and workforce management. All these capabilities make face recognition a natural, frictionless solution for managing access control, both in terms of performance and cost.