DEVOPSdigest

With very few exceptions, all software engineering teams are now operating in a fully distributed mode due to the COVID-19 crisis and our efforts to keep team members safe and avoid spreading the virus. For teams that were already fully distributed, the interruptions are likely minimal. But those that are making the rapid transition from fully- or partially-colocated to 100% distributed are experiencing significant disruptions to their operations — and their cloud security posture.

Without new security steps in place, the adoption of new devices, access patterns, and processes used to maintain cloud environments while working from home increases the risk of cloud-based data breaches, cryptomining, and serious compliance violations. Cloud security risks are heightened when everyone is experiencing extraordinary amounts of stress and distraction. Mistakes can be made in times like these. And malicious actors are constantly watching, and more than happy to take advantage of those mistakes.

The Shared Responsibility Model of cloud security allows us to externalize a lot of security risks and costs to cloud providers like Amazon Web Services, Microsoft Azure, and Google Cloud Platform. But the security responsibilities that remain with the cloud customer are quite different from security in the data center. With cloud, security is focused on ensuring the correct configuration of cloud resources, and in turn, avoiding misconfiguration. Since a workforce accesses the cloud through cloud services, such as Security Groups and Identity and Access Management (IAM) services, the threats due to cloud misconfiguration can increase when that workforce becomes more distributed.

While cloud misconfiguration is a 100% preventable problem on the cloud customer's side of the Shared Responsibility Model, it remains the number one cause of cloud-based data breaches. The National Security Agency states(link is external) that "misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services." While cloud providers can educate and alert customers about potential risks, they can't prevent their customers from creating misconfigurations. Preventing customers from making such errors would severely limit the power and flexibility of cloud. 

But If Cloud Misconfiguration Is Preventable, Why Does It Keep Happening?

With the cloud, there's no perimeter to defend, traditional security tools aren't typically effective, and IT professionals often don't understand it. Cloud customers widely recognized as cloud security leaders can fall victim to their own misconfigurations. For example, if a Security Group is configured to allow SSH access to a remote worker's network, bad actors can find and exploit it within minutes. It can be difficult to distinguish malicious access patterns from legitimate ones, and traditional security tools can't detect these attacks.

Adding to this challenge is the fact that developers are continuously building and modifying their cloud infrastructure, so the attack surface has become highly dynamic. This makes gaining visibility into the state and security posture of cloud environments an ongoing struggle.

And while the most common methods of managing cloud misconfiguration are largely manual (e.g. reviewing alerts, remediating issues, conducting audits), malicious actors use automation tools to find and exploit misconfiguration almost as soon as they're created. Once they find a resource misconfiguration that gives them access to a cloud environment, they exploit additional misconfigurations to move laterally, discover resources, and extract data.

The good news is that while traditional security tools and approaches may be insufficient for keeping cloud environments secure, developers are empowering themselves to address the problem. They're using policy-as-code to automate certification processes and compliance reporting while removing human error from the equation. And they've adopted a "Shift Left" approach to moving security earlier in the software development lifecycle when making corrective changes is faster and less costly.

Companies that empower their developers to take on the security of their cloud environments have a leg up on avoiding cloud-based data breaches landing them in the headlines.

The COVID-19 crisis is already impacting the cloud industry. We're already seeing a surge in cloud demand, likely due to the rapid adoption of online collaboration tools. But expect to see a longer-term cloud adoption trend as companies who previously opted to continue managing their own data centers face previously unforeseen challenges. Existing data center capacity may be insufficient in supporting newly-distributed teams with the surge capacity that an increased demand for online services. Ensuring the safety of datacenter workers and maintaining sufficient staff levels are now front burner issues. And there will be fresh concerns over global supply chains and the ability to acquire physical infrastructure needed to maintain operations.

And with a new wave of cloud adoption comes more cloud misconfiguration risks and more opportunities for malicious actors to exploit.