Organizations often set up security rules to help reduce cybersecurity vulnerabilities and risks. The 2024 Cost of a Data Breach Report discovered that 40% of all data breaches involved data distributed across multiple environments, meaning that these best-laid plans often fail in the cloud environment.

Not surprisingly, many organizations find keeping a robust security posture in the cloud to be exceptionally challenging, especially with the need to enforce security policies consistently across dynamic and expansive cloud infrastructures. The recently released X-Force Cloud Threat Landscape 2024 Report delved into which specific rules are most commonly failing. By understanding key vulnerabilities, organizations can then figure out the best approach for reducing their risks.

“Regulations are increasing, requiring organizations to implement more compliance policies with security top of mind, which puts a lot of overhead on these organizations,” says Mohit Goyal, Product Management at Red Hat Insights. “The Compliance service within Red Hat Insights provides a more elegant way to manage and deploy these policies on systems to get ahead of any gaps.”

Environment influences failure of security rules

During the research, X-Force analyzed two sets of data across the cloud — one set operating in 100% cloud-only environments and the other with a hybrid of 50% to 99% of their Red Hat Enterprise Linux (RHEL) systems in the cloud. Interestingly, researchers found a different set of most failed rules for each of the two different groups.

Goyal says that the team intentionally looked at both environments because Red Hat caters to customers across the hybrid cloud. During the research, the team discovered that in the 100% cloud group, security rules often failed due to misconfiguring assets, meaning that organizations should focus on configuration guidelines. Meanwhile, in the hybrid environment, most failed rules revolved around authentication and cryptography policies.

When asked who is often responsible for the configurations, Goyal says it varies at different organizations. At smaller companies, a single employee often wears multiple hats. However, at larger organizations, the roles are typically well defined with multiple people involved — for example, a system administrator, a security/risk administrator and a compliance administrator.

Top failed rules in organizations with 100% cloud systems

Researchers found that in situations where all data was stored in the public cloud, the most commonly failed rule was configuration and security guidelines for Linux systems. Researchers described this rule as focusing on configuring essential security and management settings in Linux systems. Examples include setting the default zone for the firewall and isolating the /tmp directory on a separate partition to enhance security and manage disk space effectively. The mitigation is configuring the default zone for the firewall service to make sure the network security is properly configured in Red Hat-based systems.

Other top failed rules include:

• Secure mount options for critical directories
• User home directory management
• Service management
• NFS service management

Top failed rules in organizations with hybrid environments

After analyzing data within a hybrid environment, researchers found that authentication and cryptography policies often failed. These rules focus on standardizing and securing authentication mechanisms and cryptographic requirements in a given policy. Organizations set these rules to ensure consistent and strong security practices across the system. The mitigation involves authselect to standardize and simplify the management of authentication settings.

Other commonly failed rules in hybrid environments include:

• Account and SSH configuration
• SSH security measures
• Umask configuration
• Process debugging restrictions

Why mitigation commonly fails

Because each rule contains mitigation, a common question from the report was why mitigations so often fail. But the answer is not a simple one. The reasons can include a wide range of factors, including misconfiguration, lack of training and different environments.

“Security, in general, is a complex area, and with the threat landscape constantly changing and evolving, it’s hard to maintain the status quo,” Goyal says. “As new technologies and new requirements come into play and the footprint increases, it ultimately leads to a lot of complexity.”

Goyal predicts that the policies are going to increase in number and only become more complex. Organizations need solutions to keep their head wrapped around the complexities in a way that reduces the burden of operational overhead. By highlighting the gaps, leaders can understand where the risk lies and create a plan to close those gaps.

Reducing rule failures

Confirming that all rules are followed and the mitigation is used correctly when a rule fails is time-consuming, explains Goyal. At large enterprises, cybersecurity professionals bear a lot of burden with complex processes. Team members must constantly optimize and check for security while also completing other tasks. Organizations are increasingly turning to Ansible automation, such as with Red Hat Insights, for more effective and efficient remediation.

With Red Hat Insights, an organization can deploy its compliance policies (i.e.: a PCI or HIPAA data governance policy, etc.) on RHEL systems. After analyzing these systems, Insights then displays the level of compliance/non-compliance of the systems to the organization’s policies; it also recommends actions to address the non-compliance. Organizations can select to deploy the Ansible playbook on the systems with just a few clicks to become compliant again. Because the process is automated, it’s more effective and efficient than manually identifying and remediating each system separately.

“Large enterprises need this ability to help keep their costs in control and prevent security gaps from being exploited by bad actors,” says Goyal.

Cloud security: A shared responsibility

Because multiple organizations are involved in a cloud environment, a key question is often about who bears the responsibility for security — the organization or the vendor. Goyal says that security is a dual responsibility.

“As a vendor to our customer, there is a responsibility to make sure they have a product that is built with its security posture front-and-center and has feature-rich functionality that allows organizations to effectively manage their organizational IT security strategy. However, they have to also configure and deploy the product correctly,” says Goyal. “Additionally, organizations need to make sure that their cloud provider emphasizes operational security. At the same time, organizations also need to take ownership for the security of the configurable components of their environment.”