Back to Basics: A Fundamental Approach to Cloud Security
January 12, 2021

Om Moolchandani

College football coaches say it. Investment advisers emphasize it. Meditation practitioners live by it. The sentiment is so ingrained in the popular imagination that it gained cliché status a long time ago. But there's no question that even a hackneyed phrase can have true meaning — and perhaps it's time cloud security specialists embrace it.

The simple phrase here: "Let's go back to the fundamentals."

That's actually a high hill to climb in the world of cloud computing: The field virtually mandates a nonstop flow of new tools and capabilities. Each advance surely adds to the already-long list of benefits to be accrued by moving to the cloud, but many also create serious risks. This fundamental — there it is again — incongruity can undermine the entire potential of this vital discipline.

The latest Accurics research report, The State of DevSecOps, vividly highlights this ongoing issue. This report followed the previous edition by only a few months, yet in that short time there's been a slew of headline-grabbing incidents. Servers containing personal information from popular dating apps got hacked, fitness brands found their data privacy compromised, and customers' financial details from payment providers got exfiltrated.

But when we look past the headlines and go deep into the details, it becomes apparent this isn't only the work of sophisticated cybercriminals. Yes, there are plenty of those — but it's also clear that more mundane issues are to blame.

For example, the report details how misconfigured cloud storage services are commonplace in the vast majority of cloud deployments analyzed, around 93%. On an entirely related note, a majority of deployments also featured at least one network exposure that left a security group wide open. These seem like minor issues, but the reality is truly distressing — these two practices alone help account for more than 200 breaches exposing 30 billion records in just the past couple of years.

So how does this go so badly wrong? Why don't these problems get caught earlier?

Again, it goes back to the basics. Having best practices in place — every policy violation must be addressed immediately — is a no-brainer. But consider the volume: When there's an endless stream of alerts about such discrepancies, and many are likely minor, it's a very human impulse to disregard at least some of the warnings.

Here's an example: When multiple hardcoded private keys turn up, standard policies dictate that the risk from each is assessed individually. That's enormously time-consuming, which is why security specialists understandably focus more on keys actually being used, since these pose a more immediate risk. This is also typically a manual process, which gives attackers time to identify weak spots. Eventually, those unused and unexamined keys can become a gateway for the bad guys.

How serious is this problem? Accurics' research finds that nearly a half of all organizations have at least one hardcoded key with high privileges used to provision compute resources. A breach here flings open the doors to all associated resources.

Another fundamental flaw is that that 90% of organizations give users the freedom and authority to change the cloud native infrastructure in runtime. Again, flexibility is a vital component of cloud-driven operations, but this is where we find a clear connection to critical exposures. In sum, even as organizations devote considerable resources to multiple aspects of cloud security — with an emphasis on top-notch security when cloud native infrastructure is originally defined — a subsequent drift can lead to chaos.

There is a strong correlation between the top types of cloud infrastructure drifts and the risks that create serious exposures. This implies that even if organizations exercise strong security hygiene when cloud native infrastructure is initially defined, drifts in runtime will create exposures.

Again, the research here turns up damning numbers: Security groups created or modified in 100% of deployments, IAM policy changes in 82% of deployments, and so on.

Fundamental problems like these require fundamental solutions. Top of the list: Security must be codified into development pipelines and enforced throughout the lifecycle. The work isn't done when the policy is enforced across Infrastructure as Code and a secure baseline is created — there's too much happening after that. Going a level deeper, we clearly need an additional set of principles:

■ Policy as Code: Emerging types of misconfigurations must be countered with policy guardrails embedded throughout the development lifecycle.

■ Security as Code: High severity misconfigurations have to be addressed, swiftly and comprehensively — and that can only be achieved with enhanced threat modeling.

■ Drift as Code: Any resource and configuration change from the secure baseline must be detected and assessed for risk.

■ Remediation as Code: Automated detection with manual remediation is doomed to failure; the latter must be codified into the development pipeline.

The cloud builds on technological innovation and offers undeniable benefits. Moving forward, the tools and capabilities emerging each day must be matched with programmatic security to keep the infrastructure safe.

Om Moolchandani is Co-Founder, CTO and CISO of Accurics
Share this

Industry News

February 29, 2024

ManageEngine, the enterprise IT management division of Zoho Corporation, announced the integration between Endpoint Central, its flagship unified endpoint management solution, and Check Point's Harmony Mobile, a leading mobile threat defense solution, to help IT security teams automate the remediation of mobile threats.

February 29, 2024

Stack Overflow and Google Cloud announced a strategic partnership that will deliver new gen AI-powered capabilities to developers through the Stack Overflow platform, Google Cloud Console, and Gemini for Google Cloud.

February 29, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Falco, a cloud native security tool designed for Linux systems and the de facto Kubernetes threat detection engine.

February 28, 2024

JFrog announced a new technology integration with Qwak, a fully managed ML Platform, that brings machine learning models alongside traditional software development processes to streamline, accelerate, and scale the secure delivery of ML applications.

February 28, 2024

ServiceNow, Hugging Face, and NVIDIA, announced the release of StarCoder2, a family of open‑access large language models (LLMs) for code generation that sets new standards for performance, transparency, and cost‑effectiveness.

February 28, 2024

GMO GlobalSign announced the availability of an Issuer for Kubernetes cert-manager.

February 27, 2024

MacStadium announced the launch of its online community to deepen the connections of application developers through knowledge sharing and collaboration.

February 27, 2024

Octopus Deploy announced the acquisition of Codefresh Inc.

February 26, 2024

Intel announced its new Edge Platform, a modular, open software platform enabling enterprises to develop, deploy, run, secure, and manage edge and AI applications at scale with cloud-like simplicity.

February 26, 2024 announced AI-augmented API Management, a new Tray Universal Automation Cloud capability that turns any new or existing workflow into a reusable API, significantly decreasing the technical debt associated with the operational effort and costs of traditional API management (APIM).

February 26, 2024

Bitwarden Secrets Manager is now integrated with Ansible Playbook.

February 22, 2024

Check Point® Software Technologies Ltd. introduces Check Point Quantum Force series: an innovative lineup of ten high-performance firewalls designed to meet and exceed the stringent security demands of enterprise data centers, network perimeters, campuses, and businesses of all dimensions.

February 22, 2024

Tabnine announced that Tabnine Chat — the enterprise-grade, code-centric chat application that allows developers to interact with Tabnine AI models using natural language — is now available to all users.

February 22, 2024

Avaamo released Avaamo LLaMB™, a new low-code framework for building generative AI applications in the enterprise safely, securely, and fast.

February 21, 2024

CAST announced the winter release of CAST Imaging, an imaging system for software applications, with significant user experience (UX) enhancements and new features designed to simplify and accelerate processes for engineers who develop, maintain, modernize, complex software applications.