Misconfiguration errors have played a central role in every cloud-based data breach we’ve learned of. These misconfigured “rogue waves” have hit some of the biggest and most advanced cloud customers — Twitch, most recently, and Uber, Imperva, and Capital One before them. All of these attacks involve complex attack chains against the cloud provider’s API control plane.
Security concerns are clearly no longer a barrier to cloud adoption, but a perfect storm of cloud risks has arrived. Let’s examine this perfect storm and its three drivers, and develop a strategy for navigating it safely.
1. Cloud complexity is increasing
The major cloud providers—mostly Amazon Web Services (AWS), Microsoft Azure and Google Cloud—are locked in an innovation race to offer new services. AWS alone provides more than 200 infrastructure services, each with unique configuration options and security considerations. And, whether through strategic choice, acquisition, or chance, most businesses now have a multi-cloud footprint that requires a multi-cloud security strategy.
A typical enterprise cloud environment can contain hundreds of thousands of interrelated resources spanning multiple cloud accounts and business units. Each use case brings different security requirements and must be managed according to global enterprise security and regulatory policies as well as local policies. During human review, these policies are subject to different human interpretations.
While cloud providers continue to roll out more security tools, it’s not enough. As cloud security expert Scott Piper put it, “[P]People don’t know as much about their cloud environment as they want. … [T]This is where I think many misconfigurations come into play. “For many organizations, the choice is to move fast and take additional risk, or slow down delivery and prove everything is secure and compliant before deployment.
2. Hackers are now cloud security experts
As cloud environments have become more complex, hackers have become very good at exploiting our mistakes. They employ automated technology that scans the internet for cloud vulnerabilities within minutes of deployment.
Once inside your environment, hackers know how to exploit cloud architecture flaws (which are themselves a misconfiguration) to expand the blast radius of any initial security breach. These flaws often allow Identity and Access Management (IAM) resources to discover more information about the environment, move laterally, and steal data. The Twitch vulnerability initially involved misconfigured servers, but attackers eventually exploited a series of flaws to steal customer data and sensitive source code from Twitch and its parent company Amazon.
Once an attack on the cloud API control plane begins, it’s too late to stop it. Often, cloud customers don’t know they’ve been hacked until their data is on the dark web (in Twitch’s case) or when hackers brag about it online (Capital One defaults).As cloud economist Corey Quinn notes in his screaming at the clouds Podcast: “So, what’s your primary means of detecting a data breach? Honestly, ‘front page in the New York Times.'”
3. The battle for cloud engineering talent
Demand for cloud engineering talent is exploding, and this is reflected in compensation.According to recruiters Wall Street Journal Quote, “People with cloud skills typically get two or three strong offers, usually packages worth hundreds of thousands of dollars, and stock options.”
Every company operating in the cloud is competing with tech giants for cloud engineers, including those already on their teams. Most of these companies don’t have the deep pockets and attractive stock options that tech giants have. As Lydia Leong of Gartner Say, “It’s not just big tech. Every SI and MSP on the planet is chasing techies everywhere.”
Strategies for coping with storms
1. Get a comprehensive view of your environment and security posture. Cloud breaches occur because security teams lack the visibility needed to detect breaches in a complex graph of cloud resources. Executives should demand a report detailing the full configuration status and security posture of their cloud environment — and security teams should be able to generate a report at any time.
2. Focus on building a security architecture and preventing misconfigurations. Cloud security is an architectural and process issue, and every misconfiguration is a design or process failure. Provides DevOps engineers with tools to flag bugs in their infrastructure as code and explain how to fix them. Set up security guardrails in your CI/CD pipeline to prevent deploying misconfiguration vulnerabilities.
3. Use policies as code-driven automation to build scalable cloud security. Policy as code is the only way to efficiently support multiple business units and their myriad use cases and local policy requirements without slowing them down.A good starting point is Open Policy Broker, One Cloud Native Computing Foundation Items used by major businesses like T-Mobile, Goldman Sachs, and Netflix.
With a holistic approach to cloud security built on a consistent and scalable policy-as-code foundation that helps software engineers develop a secure cloud infrastructure, prevent misconfigurations in deployments, and Open Danger This has happened to other complex enterprise cloud customers.
