COVID-19 Shines a New Light on Cloud Misconfiguration Risk
April 14, 2020

Josh Stella
Fugue

With very few exceptions, all software engineering teams are now operating in a fully distributed mode due to the COVID-19 crisis and our efforts to keep team members safe and avoid spreading the virus. For teams that were already fully distributed, the interruptions are likely minimal. But those that are making the rapid transition from fully- or partially-colocated to 100% distributed are experiencing significant disruptions to their operations — and their cloud security posture.


Without new security steps in place, the adoption of new devices, access patterns, and processes used to maintain cloud environments while working from home increases the risk of cloud-based data breaches, cryptomining, and serious compliance violations. Cloud security risks are heightened when everyone is experiencing extraordinary amounts of stress and distraction. Mistakes can be made in times like these. And malicious actors are constantly watching, and more than happy to take advantage of those mistakes.

The Shared Responsibility Model of cloud security allows us to externalize a lot of security risks and costs to cloud providers like Amazon Web Services, Microsoft Azure, and Google Cloud Platform. But the security responsibilities that remain with the cloud customer are quite different from security in the data center. With cloud, security is focused on ensuring the correct configuration of cloud resources, and in turn, avoiding misconfiguration. Since a workforce accesses the cloud through cloud services, such as Security Groups and Identity and Access Management (IAM) services, the threats due to cloud misconfiguration can increase when that workforce becomes more distributed.

While cloud misconfiguration is a 100% preventable problem on the cloud customer's side of the Shared Responsibility Model, it remains the number one cause of cloud-based data breaches. The National Security Agency states that "misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services." While cloud providers can educate and alert customers about potential risks, they can't prevent their customers from creating misconfigurations. Preventing customers from making such errors would severely limit the power and flexibility of cloud. 

But If Cloud Misconfiguration Is Preventable, Why Does It Keep Happening?

With the cloud, there's no perimeter to defend, traditional security tools aren't typically effective, and IT professionals often don't understand it. Cloud customers widely recognized as cloud security leaders can fall victim to their own misconfigurations. For example, if a Security Group is configured to allow SSH access to a remote worker's network, bad actors can find and exploit it within minutes. It can be difficult to distinguish malicious access patterns from legitimate ones, and traditional security tools can't detect these attacks.

Adding to this challenge is the fact that developers are continuously building and modifying their cloud infrastructure, so the attack surface has become highly dynamic. This makes gaining visibility into the state and security posture of cloud environments an ongoing struggle.

And while the most common methods of managing cloud misconfiguration are largely manual (e.g. reviewing alerts, remediating issues, conducting audits), malicious actors use automation tools to find and exploit misconfiguration almost as soon as they're created. Once they find a resource misconfiguration that gives them access to a cloud environment, they exploit additional misconfigurations to move laterally, discover resources, and extract data.

The good news is that while traditional security tools and approaches may be insufficient for keeping cloud environments secure, developers are empowering themselves to address the problem. They're using policy-as-code to automate certification processes and compliance reporting while removing human error from the equation. And they've adopted a "Shift Left" approach to moving security earlier in the software development lifecycle when making corrective changes is faster and less costly.

Companies that empower their developers to take on the security of their cloud environments have a leg up on avoiding cloud-based data breaches landing them in the headlines.

The COVID-19 crisis is already impacting the cloud industry. We're already seeing a surge in cloud demand, likely due to the rapid adoption of online collaboration tools. But expect to see a longer-term cloud adoption trend as companies who previously opted to continue managing their own data centers face previously unforeseen challenges. Existing data center capacity may be insufficient in supporting newly-distributed teams with the surge capacity that an increased demand for online services. Ensuring the safety of datacenter workers and maintaining sufficient staff levels are now front burner issues. And there will be fresh concerns over global supply chains and the ability to acquire physical infrastructure needed to maintain operations.

And with a new wave of cloud adoption comes more cloud misconfiguration risks and more opportunities for malicious actors to exploit.

Josh Stella is CTO of Fugue
Share this

Industry News

May 19, 2022

Jellyfish announced the launch of Jellyfish Benchmarks, a way to add context around engineering metrics and performance by introducing a method for comparison.

May 19, 2022

Solo.io announced the addition and integration of Cilium networking into its Gloo Mesh platform, providing a complete application-networking solution for companies’ cloud-native digital transformation efforts.

May 19, 2022

Aqua Security announced multiple updates to Aqua Trivy, making it a unified scanner for cloud native security.

May 18, 2022

Red Hat unveiled updates across its portfolio of developer tools designed to help organizations build and deliver applications faster and more consistently across Kubernetes-based hybrid and multicloud environments.

May 18, 2022

Armory announced public early access to their new Continuous Deployment-as-a-Service product.

May 18, 2022

DataCore Software announced DataCore Bolt, enterprise-grade container-native storage software for DevOps.

May 17, 2022

DevOps Institute, a global professional association for advancing the human elements of DevOps, announced the release of the Upskilling IT 2022 report.

May 17, 2022

Replicated announced a host of new platform features and capabilities that enable their customers to accelerate enterprise adoption of their Kubernetes applications.

May 17, 2022

Codefresh announced that its flagship continuous delivery (CD) platform will be made accessible as a fully-hosted solution for DevOps teams seeking to quickly and easily achieve frictionless, GitOps-based continuous software delivery in the cloud.

May 16, 2022

Red Hat announced new capabilities and enhancements across its portfolio of open hybrid cloud solutions aimed at accelerating enterprise adoption of edge compute architectures through the Red Hat Edge initiative.

May 16, 2022

D2iQ announced a partnership with GitLab.

May 16, 2022

Kasten by Veeam announced the new Kasten by Veeam K10 V5.0 Kubernetes data management platform.

May 12, 2022

Red Hat introduced Red Hat Enterprise Linux 9, the Linux operating system designed to drive more consistent innovation across the open hybrid cloud, from bare metal servers to cloud providers and the farthest edge of enterprise networks.

May 12, 2022

Couchbase announced version 7.1 of Couchbase Server.

May 12, 2022

Copado added Copado Robotic Testing to Copado Essentials.