If the cloud is more secure, then why is everything still broken?

Seventy-five percent of running containers have high or critical vulnerabilities, according to our recent study. Worse yet, these flaws have patches available, so they could be (but haven’t been) fixed. Many industry veterans wouldn’t be surprised by statistics like these, but weren’t things supposed to be better in the cloud?

Things will be better, and for some people they already are. The most advanced and meticulous teams can reduce the number of running vulnerable containers to 5% or less. They accomplish this by shifting security testing to the left in their software delivery pipelines and building streamlined, easy remediation workflows for developers and operators alike. Creating good processes around shiny technology has always been the greatest of all security struggles, and it’s no different in the cloud.

Bringing Bad Habits to the Cloud
Cloud migration does not magically modernize workloads or the processes around them, and security is no exception. In fact, security is often the last thing we want to address because it tends to slow down everything else.

Let’s take the example of multifactor authentication (MFA). Most of us know, or at least have heard, that this is something we should implement, especially for accounts that are the most important to protect. But do you have MFA set up on all your bank accounts? Most of us probably don’t. We never seem to have the time, and the extra prompt asking you to confirm your identity every time becomes annoying.

The cloud isn’t all that different because it’s operated by humans. Sysdig data shows that 48% of organizations don’t have MFA enabled on their most privileged account, the root user. Further, 27% of organizations use this account for administrative tasks, against the advice of cloud best practices and Center for Internet Security (CIS) benchmark guidelines.

Because identity and access management (IAM) is one of the most critical cloud security controls, we should strive to develop new, cloud-native processes around it. Cloud teams should create IAM roles scoped to specific tasks with no extra permissions, as well as train their users on how assumed roles work.

Oh, and please enable MFA!

To read the complete article, visit Dark Reading.