According to Sysdig‘s 2022 Cloud-Native Security and Usage Report, 75% of containers have “high” or “critical” patchable vulnerabilities. What it implies is a fairly significant level of risk acceptance, which is not unusual for high agility operating models, but can be very dangerous. The report reveals that as teams rush to expand, container security and usage best practices are sacrificed, leaving openings for attackers.
In addition, operational controls lag, potentially resulting in hundreds of thousands of dollars being wasted on poor capacity planning. All of these are indicators that cloud and container adoption is maturing beyond early, “expert” adopters, but moving quickly with an inexperienced team can increase risk and cost, the report adds.
Also, 73% of cloud accounts contain exposed S3 buckets and 36% of all existing S3 buckets are open to public access. The amount of risk associated with an open bucket varies according to the sensitivity of the data stored there. However, leaving buckets open is rarely necessary and it’s usually a shortcut that cloud teams should avoid.
The report also adds that cloud security best practices and the CIS Benchmark for AWS indicate that organizations should avoid using the root user for administrative and daily tasks, yet 27% of organizations continue to do so. Forty-eight percent of customers don’t have multi-factor authentication (MFA) enabled on these highly privileged accounts, which makes it easier for attackers to compromise the organization if the account credentials are leaked or stolen.
Capacity management and planning are difficult in fast changing Kubernetes environments and limits on how many resources a container can use can go undefined. According to the report, 60% of containers had no CPU limits defined and 51% had no memory limits defined. Of those clusters that did have CPU limits, an average of 34% of CPU cores were unused. Without knowing the utilization of clusters, organizations could be wasting money due to overallocation or causing performance issues by running out of resources. Given the average cost of Amazon Web Services CPU pricing, an organization with 20 Kubernetes clusters could be overspending up to $400,000 yearly.