COVID-19 Shines a New Light on Cloud Misconfiguration Risk
April 14, 2020

Josh Stella
Fugue

With very few exceptions, all software engineering teams are now operating in a fully distributed mode due to the COVID-19 crisis and our efforts to keep team members safe and avoid spreading the virus. For teams that were already fully distributed, the interruptions are likely minimal. But those that are making the rapid transition from fully- or partially-colocated to 100% distributed are experiencing significant disruptions to their operations — and their cloud security posture.


Without new security steps in place, the adoption of new devices, access patterns, and processes used to maintain cloud environments while working from home increases the risk of cloud-based data breaches, cryptomining, and serious compliance violations. Cloud security risks are heightened when everyone is experiencing extraordinary amounts of stress and distraction. Mistakes can be made in times like these. And malicious actors are constantly watching, and more than happy to take advantage of those mistakes.

The Shared Responsibility Model of cloud security allows us to externalize a lot of security risks and costs to cloud providers like Amazon Web Services, Microsoft Azure, and Google Cloud Platform. But the security responsibilities that remain with the cloud customer are quite different from security in the data center. With cloud, security is focused on ensuring the correct configuration of cloud resources, and in turn, avoiding misconfiguration. Since a workforce accesses the cloud through cloud services, such as Security Groups and Identity and Access Management (IAM) services, the threats due to cloud misconfiguration can increase when that workforce becomes more distributed.

While cloud misconfiguration is a 100% preventable problem on the cloud customer's side of the Shared Responsibility Model, it remains the number one cause of cloud-based data breaches. The National Security Agency states that "misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services." While cloud providers can educate and alert customers about potential risks, they can't prevent their customers from creating misconfigurations. Preventing customers from making such errors would severely limit the power and flexibility of cloud. 

But If Cloud Misconfiguration Is Preventable, Why Does It Keep Happening?

With the cloud, there's no perimeter to defend, traditional security tools aren't typically effective, and IT professionals often don't understand it. Cloud customers widely recognized as cloud security leaders can fall victim to their own misconfigurations. For example, if a Security Group is configured to allow SSH access to a remote worker's network, bad actors can find and exploit it within minutes. It can be difficult to distinguish malicious access patterns from legitimate ones, and traditional security tools can't detect these attacks.

Adding to this challenge is the fact that developers are continuously building and modifying their cloud infrastructure, so the attack surface has become highly dynamic. This makes gaining visibility into the state and security posture of cloud environments an ongoing struggle.

And while the most common methods of managing cloud misconfiguration are largely manual (e.g. reviewing alerts, remediating issues, conducting audits), malicious actors use automation tools to find and exploit misconfiguration almost as soon as they're created. Once they find a resource misconfiguration that gives them access to a cloud environment, they exploit additional misconfigurations to move laterally, discover resources, and extract data.

The good news is that while traditional security tools and approaches may be insufficient for keeping cloud environments secure, developers are empowering themselves to address the problem. They're using policy-as-code to automate certification processes and compliance reporting while removing human error from the equation. And they've adopted a "Shift Left" approach to moving security earlier in the software development lifecycle when making corrective changes is faster and less costly.

Companies that empower their developers to take on the security of their cloud environments have a leg up on avoiding cloud-based data breaches landing them in the headlines.

The COVID-19 crisis is already impacting the cloud industry. We're already seeing a surge in cloud demand, likely due to the rapid adoption of online collaboration tools. But expect to see a longer-term cloud adoption trend as companies who previously opted to continue managing their own data centers face previously unforeseen challenges. Existing data center capacity may be insufficient in supporting newly-distributed teams with the surge capacity that an increased demand for online services. Ensuring the safety of datacenter workers and maintaining sufficient staff levels are now front burner issues. And there will be fresh concerns over global supply chains and the ability to acquire physical infrastructure needed to maintain operations.

And with a new wave of cloud adoption comes more cloud misconfiguration risks and more opportunities for malicious actors to exploit.

Josh Stella is CTO of Fugue
Share this

Industry News

May 22, 2024

Mendix announced a partnership with Snowflake to enable the enterprise to activate and drive maximum value from their data through low-code application development.

May 22, 2024

LaunchDarkly set the stage for “shipping at the speed of now” with the unveiling of new features, empowering engineering teams to streamline releases and accelerate the pace of innovation.

May 22, 2024

Tigera launched new features for Calico Enterprise and Calico Cloud, extending the products' Runtime Threat Defense capabilities.

May 22, 2024

Cirata announced the latest version of Cirata Gerrit MultiSite®.

May 21, 2024

Puppet by Perforce announced a significant enhancement to the capabilities of its commercial offering with the addition of new security, compliance, and continuous integration/continuous delivery (CI/CD) capabilities.

May 21, 2024

Red Hat and Nutanix announced an expanded collaboration to use Red Hat Enterprise Linux as an element of Nutanix Cloud Platform.

May 21, 2024

Nutanix announced Nutanix Kubernetes® Platform (NKP) to simplify management of container-based modern applications using Kubernetes.

May 21, 2024

Octopus Deploy announced their GitHub Copilot Extension that increases efficiency and helps developers stay in the flow.

May 20, 2024

Pegasystems introduced Pega GenAI™ Coach, a generative AI-powered mentor for Pega solutions that proactively advises users to help them achieve optimal outcomes.

May 20, 2024

SmartBear introduces SmartBear HaloAI, trusted AI-driven technology deploying across its entire product portfolio.

May 16, 2024

Pegasystems announced the general availability of Pega Infinity ’24.1™.

May 16, 2024

Mend.io and Sysdig unveiled a joint solution to help developers, DevOps, and security teams accelerate secure software delivery from development to deployment.

May 16, 2024

GitLab announced new innovations in GitLab 17 to streamline how organizations build, test, secure, and deploy software.

May 16, 2024

Kobiton announced the beta release of mobile test management, a new feature within its test automation platform.

May 15, 2024

Gearset announced its new CI/CD solution, Long Term Projects in Pipelines.