Services are allowed to run in an insecure way. Why is that, and what can we do about it?
Back in 2018, I created a blog article commenting on the status quo of production grade services allowing users to run them in an insecure fashion.
There are different factors at play, causing both insecure configurations to be allowed by the software, as well as IT departments having software running using insecure configurations.
The developers of a particular service would like people to adopt their technology, and for that, one needs to be able to set up the tool quickly to do some proof of concept work. Furthermore, while eager to implement security features, the priorities of developers are more focused on the stability and features of their software, rather than putting mechanisms in place which protect the user from themselves. They work under the assumption that whoever sets up these services knows what s/he is doing.
The IT departments are being asked on a regular basis to put up a server with some of the latest software available. Setting up some of these services is hard enough, even without proper authentication, authorization and logging practices. From our experience, it takes teams at least three times longer to set up a service in a secure way compared to the initial “just make it work” setup. Also, as with everything, time is key. Moreover, the securing part is being done either to the best of knowledge, or, in the better cases, guides are provided, like e.g. for Hadoop. Automated verifiers are rarely available, and warning messages at startup are easy to ignore.
These two ingredients are the recipe for misconfigurations causing hundreds of data breaches a year.
CoGuard can help us escape this vicious cycle. It provides a framework for a very automated general check for configurations across different software pieces, where recommendations from developers can be added in a streamlined fashion. It provides furthermore a quick way for IT departments to get their services audited. Contact us today and learn more about how we can help you harden your IT infrastructure.