How cloud computing turned security on its head
When an organization migrates its IT systems to the cloud -- and builds new applications in the cloud -- it relieves its security team of the responsibility of building and maintaining physical IT infrastructure. The shared security model of cloud dictates that cloud service providers (CSPs) such as Amazon Web Services (AWS), Google Cloud, and Microsoft Azure are responsible for the security of the physical infrastructure. Their customers are responsible for the secure use of cloud resources.
But embracing the cloud for building and managing new applications means security teams cannot deploy the traditional security technologies and processes they’ve long relied on to thwart cyberattacks. Cloud computing represents a paradigm shift in their roles and responsibilities and their approach to protecting sensitive data against falling into the wrong hands.
Developers own their cloud environments
The cloud enables developers and engineers to build their infrastructure on the fly without the assistance of a data center team. They have the power to make their own infrastructure decisions -- including security-critical configurations -- and then change them whenever they need to. When they do make changes, they increase the risk of creating misconfigurations that leave their environment open to attack -- vulnerabilities that traditional network and endpoint security solutions cannot detect.
Why? Because application programming interfaces (APIs) -- the software intermediaries that allow different applications to interact with each other -- are the foundation of cloud computing. API-driven cloud environments eliminate the requirement for constructing and maintaining a fixed IT architecture in a centralized data center. The cloud is programmable software, and. developers are using infrastructure as code (IaC) to automate the building and managing of cloud infrastructure at scale.
These workflows make it impossible to apply the traditional security model of erecting an outward-facing barrier around the perimeter to block incoming attacks, and periodic audits are obsolete before they’re completed. Security in the cloud is a function of design and architecture, not just monitoring and intrusion detection. Cloud attackers are after the cloud control plane APIs for discovery, movement, and data extraction. Organizations must prioritize securing the control plane to prevent hackers from acquiring its API keys. Their approach to security must evolve to keep pace with the hackers.
Attackers operate differently in the cloud
Bad actors use automation technology to detect weaknesses they can exploit, such as cloud misconfigurations, application vulnerabilities, and API keys in source code. Once they choose their targets, they go hunting for data using the cloud control plane. Control plane compromise has occurred in every major cloud breach that has happened to date.
Cloud security teams often find and remediate dozens of misconfiguration issues daily. But misconfigurations are just part of the more significant security threat that represents only one of the paths a hacker can take to achieve control plane compromise. Focusing only on finding and eliminating single resource misconfigurations is tilting at windmills because hackers will eventually slip through. Focusing solely on identifying indicators of compromise (IOCs) is even riskier -- cloud breaches can happen in a matter of minutes before teams have a chance to respond, even with the best monitoring, analysis and alerting tools.
Study models of cloud security
Companies that are getting cloud security "right," no matter their size or industry, all share five traits:
- They understand their environment because they have established complete situational awareness about what is happening in their environment at all times. They no longer rely on the legacy approach of conducting periodic audits and reviewing alerts. They understand attackers use automated tools to find and exploit vulnerabilities as soon as they appear and can do significant damage in minutes.
- They focus on secure architecture because, again, today’s cloud attacks exploit misconfiguration of the whole environment, not just individual resources. This highlights the importance of the cloud security architect’s role in minimizing the risk of control plane compromise -- and understanding how their cloud security relates to application security.
- They empower developers on security. Developers are building cloud applications and environments, and they’re in the best position to address security and prevent issues before they get deployed. Effective security teams equip developers with the tools they need to prevent misconfigurations and design secure cloud environments.
- They build on a foundation of policy as code (PaC). PaC checks other code and running environments for unwanted conditions for things that should not be. It empowers all cloud stakeholders to check their work and operate securely without ambiguity or disagreement on the rules and how to apply them at both ends of the software development life cycle (SDLC).
- They maintain process discipline by consistently measuring what matters, such as whether security technologies and processes are reducing the rate of misconfiguration and improving developers’ productivity by automating security checks and approvals.
The topline takeaway for your organization is this: Many of the security tools and best practices that worked in the data center cannot protect your cloud environment and data. However, that doesn’t mean you need to ditch everything you’ve been using. Instead, understand which ones still apply and which ones are now obsolete. For instance, application security is as critical as ever, but network monitoring tools that rely on spans or taps to inspect traffic aren’t because cloud providers don't typically provide direct network access. The primary cloud security gaps you need to fill are concerned with resource configuration and the architecture of your environment.
The good news is that just as the cloud is programmable and can be automated, so is your cloud environment’s security. You can deploy automation to empower developers to build and operate safely in the cloud and have processes in place to find and fix vulnerabilities before attackers can find them. Your application teams can deliver innovation faster, your cloud engineers can focus more on building value, and your security team can do more with the resources they have.
Josh Stella is chief architect at Snyk and a technical authority on cloud security. Josh brings 25 years of IT and security expertise as founding chief technology officer at Fugue, principal solutions architect at Amazon Web Services, and advisor to the U.S. intelligence community. Josh’s personal mission is to help organizations understand how cloud configuration is the new attack surface and how companies need to move from a defensive to a preventive posture to secure their cloud infrastructure. He wrote the first book on "Immutable Infrastructure" (published by O’Reilly), holds numerous cloud security technology patents, and hosts an educational Cloud Security Masterclass series. Connect with Josh on LinkedIn and via Fugue at www.fugue.co.