Datadog State Of Cloud Security 2024

Datadog has unique insight into the cloud environment of many vendors. Every year, they publish their “State of Cloud Security Report.” Here are my takeaways on each point.

1. Long-lived creds continue to be a major risk: We still don’t know how to stop leaking credentials. There needs to be a better solution to storing the keys to our organizations. I’d like to see a free and open-source secrets manager.
2. Adoption of public access blocks in cloud storage services is rapidly increasing: Exposed buckets are slowly being fixed. The data shows over the past two years a nearly 30% increase in S3 buckets having a “public access block”. Turns out, service providers making secure defaults (IE: Not public by default) is tremendously helpful.
3. Less than half of EC2 instances enforce IMDSv2, but adoption is growing fast: Just migrate to IMDSv2 if you haven’t already. Turns out, secure defaults are, once again, very helpful.
4. Securing managed Kubernetes clusters requires non-default, cloud-specific tuning: Biggest takeaway for me – Even managed Kubernetes clusters aren’t secure by default. If you’re running a cluster, it’s important to know the risks of an attacker pivoting into your cloud infrastructure. On average, 10% of clusters across service providers have a node role that has dangerous permissions. Takeaway: Start getting reputable companies to pentest your Kubernetes infrastructure.
5. Insecure IAM roles for third-party integrations leave AWS accounts at risk of exposure: Giving third parties access to your cloud is risky, datadog cites that 10% of vendor accounts they looked at had access to all data in an account or could take over a whole AWS account.
6. Most cloud incidents are caused by compromised cloud credentials: No surprises here after reading point 1. Remember to scan your code with tools like gitleaks or trufflehog, and remember to check your commit history for secrets.
7. Many cloud workloads are excessively privileged or running in inappropriate places: Assigning overprivileged permissions to workloads such as VMs allows service accounts access to more data than they need. Datadog found that ~17% of accounts had excessive data access and 4% had risky permissions allowing for lateral movement. ~3% had full admin access.

While this report is phenomenal, I do wonder if it suffers from some level of survivorship bias. The data from the report “has come from customers of Datadog Infrastructure Monitoring, Datadog Logs, and Datadog Cloud Security Management (CSM)”. This means companies that do not have the budget for expensive security services are not included, potentially skewing the data.

SEC Charges Four Companies With Misleading Cyber Disclosures

The SEC charged four companies with civil penalties in regards to the SolarWinds hack. Unisys ($4,000,000), Avaya ($1,000,000), Check Point ($995,000), and Mimecast ($990,000) but the reputation damage is a far greater concern. The commonality is that each of these companies downplayed and minimized the severity of incidents. The SEC said: “The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”.

There are few companies named, but this signals a silent but necessary shift to placing more responsibility on companies to be forthcoming about the scale and scope of the incidents. I would imagine every fortune 500 company security department is going to be utilizing this as justification for getting more resources. If you don’t have the tools, resources, or people to confidently say what data was lost, I would identify that as a business risk.

Apple Open Sources Private Cloud Compute Resources

Back In June, Apple announced their “Private Cloud Compute” technology which allows for workloads originating on an Apple device (with relatively low computing power compared to cloud/data center hardware) to be processed in on a device in the cloud with higher, more specialized, computational hardware. The unique aspect of this is the security guarantees Apple provides around the AI’s processing of the data, specifically, apple states: “user data sent to PCC isn’t accessible to anyone other than the user – not even to Apple”.

Apple, who is not typically known for being open about their hardware and software, has published technical details about the architecture of their private cloud compute environments, a set of tools that lets security researchers attempt to break Apple’s security guarantees, and releasing some of the source code. Additionally, their bug bounty program for Private Cloud Compute reaches up to $1,000,000 for “Remote Attacks on Request Data”.

A release of information, tooling, and source code and a potential $1,000,000 bug bounty payout to security researchers to break their security shows that Apple is VERY confident in their design. For context, $1,000,000 is approaching the market price of an iMessage remote code execution and privilege escalation zero-day on Zerodium ($1,500,000) which is highly unusual. Apple does not historically go the open-source route.

I think Apple knows that people are generally wary of trusting AI systems. Apple was a bit late to the AI game, but I think the angle they’re taking of attempting to make the most trusted AI system is a very smart move. I hope it’s successful and I hope it inspires Apple to go more of the open-source route in the future.

Caught My Eye

• Sublime Security - EML Analyzer: A “free unauthenticated tool for analyzing email messages.” Seems fairly accurate from a few spam emails I uploaded. Self-hostable with docker. Might be good to point your non-technical friends towards it after advising them not to upload highly sensitive emails.
• Active Cyber Defense - Taking Back Control: A fun reminder that even a whiff of active defense technologies being used will stress out red teams (and attackers)
• Links can be sent to with specific text highlighted by appending a special sequence of characters to the URL: #:~:text=the text you wish to highlight. For example: https://en.wikipedia.org/wiki/Cast-iron_cookware#:~:text=soap

Newsletter

Want this sent straight to your inbox? You can subscribe here to have it sent every Monday morning.