COVID-19 Shines a New Light on Cloud Misconfiguration Risk
April 14, 2020

Josh Stella

With very few exceptions, all software engineering teams are now operating in a fully distributed mode due to the COVID-19 crisis and our efforts to keep team members safe and avoid spreading the virus. For teams that were already fully distributed, the interruptions are likely minimal. But those that are making the rapid transition from fully- or partially-colocated to 100% distributed are experiencing significant disruptions to their operations — and their cloud security posture.

Without new security steps in place, the adoption of new devices, access patterns, and processes used to maintain cloud environments while working from home increases the risk of cloud-based data breaches, cryptomining, and serious compliance violations. Cloud security risks are heightened when everyone is experiencing extraordinary amounts of stress and distraction. Mistakes can be made in times like these. And malicious actors are constantly watching, and more than happy to take advantage of those mistakes.

The Shared Responsibility Model of cloud security allows us to externalize a lot of security risks and costs to cloud providers like Amazon Web Services, Microsoft Azure, and Google Cloud Platform. But the security responsibilities that remain with the cloud customer are quite different from security in the data center. With cloud, security is focused on ensuring the correct configuration of cloud resources, and in turn, avoiding misconfiguration. Since a workforce accesses the cloud through cloud services, such as Security Groups and Identity and Access Management (IAM) services, the threats due to cloud misconfiguration can increase when that workforce becomes more distributed.

While cloud misconfiguration is a 100% preventable problem on the cloud customer's side of the Shared Responsibility Model, it remains the number one cause of cloud-based data breaches. The National Security Agency states that "misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services." While cloud providers can educate and alert customers about potential risks, they can't prevent their customers from creating misconfigurations. Preventing customers from making such errors would severely limit the power and flexibility of cloud. 

But If Cloud Misconfiguration Is Preventable, Why Does It Keep Happening?

With the cloud, there's no perimeter to defend, traditional security tools aren't typically effective, and IT professionals often don't understand it. Cloud customers widely recognized as cloud security leaders can fall victim to their own misconfigurations. For example, if a Security Group is configured to allow SSH access to a remote worker's network, bad actors can find and exploit it within minutes. It can be difficult to distinguish malicious access patterns from legitimate ones, and traditional security tools can't detect these attacks.

Adding to this challenge is the fact that developers are continuously building and modifying their cloud infrastructure, so the attack surface has become highly dynamic. This makes gaining visibility into the state and security posture of cloud environments an ongoing struggle.

And while the most common methods of managing cloud misconfiguration are largely manual (e.g. reviewing alerts, remediating issues, conducting audits), malicious actors use automation tools to find and exploit misconfiguration almost as soon as they're created. Once they find a resource misconfiguration that gives them access to a cloud environment, they exploit additional misconfigurations to move laterally, discover resources, and extract data.

The good news is that while traditional security tools and approaches may be insufficient for keeping cloud environments secure, developers are empowering themselves to address the problem. They're using policy-as-code to automate certification processes and compliance reporting while removing human error from the equation. And they've adopted a "Shift Left" approach to moving security earlier in the software development lifecycle when making corrective changes is faster and less costly.

Companies that empower their developers to take on the security of their cloud environments have a leg up on avoiding cloud-based data breaches landing them in the headlines.

The COVID-19 crisis is already impacting the cloud industry. We're already seeing a surge in cloud demand, likely due to the rapid adoption of online collaboration tools. But expect to see a longer-term cloud adoption trend as companies who previously opted to continue managing their own data centers face previously unforeseen challenges. Existing data center capacity may be insufficient in supporting newly-distributed teams with the surge capacity that an increased demand for online services. Ensuring the safety of datacenter workers and maintaining sufficient staff levels are now front burner issues. And there will be fresh concerns over global supply chains and the ability to acquire physical infrastructure needed to maintain operations.

And with a new wave of cloud adoption comes more cloud misconfiguration risks and more opportunities for malicious actors to exploit.

Josh Stella is CTO of Fugue
Share this

Industry News

January 14, 2021

Oracle is making its popular APEX low-code development platform available as a managed cloud service that developers can use to build data-driven enterprise applications quickly and easily.

January 14, 2021

Parasoft announced its C/C++test update to support IAR Systems' build tools for Linux for Arm.

January 14, 2021

Harness raised $115 million in financing, reaching a valuation of $1.7 billion in just three years after launching from stealth.

January 13, 2021 launched with its cloud-based DevOps automation platform built specifically for software developers.

January 13, 2021

WhiteSource announced new WhiteSource Advise support for JetBrains' PyCharm and WebStorm integrated development environments (IDEs).

January 12, 2021

Red Hat has added new features to Red Hat Runtimes.

January 11, 2021

KubeSphere announced its expanded relationship with AWS to offer KubeSphere as an AWS Quick Start.

January 07, 2021

Red Hat announced its intent to acquire StackRox

January 07, 2021

Cigniti Technologies announced a partnership with Sonatype to help enterprise customers innovate faster and easily mitigate security risk inherent in open source.

January 07, 2021

Lacework announced a $525 million growth round with a valuation of over $1 billion.

January 06, 2021

BMC announced several new capabilities and enhancements for the BMC Automated Mainframe Intelligence (AMI) and Compuware portfolios that enable BMC mainframe customers to protect uptime and availability, defend the mainframe against cybersecurity threats, and advance enterprise DevOps.

January 06, 2021

Sysdig has achieved Service Organization Control (SOC) 2 Type II compliance for the Sysdig Secure DevOps Platform.

January 05, 2021

Allegro AI announced a rebranding of its key product Allegro Trains as ClearML.

January 05, 2021

Acryl unveiled a pilot service for Jonathan, an integrated AI platform that can be used in a variety of industries with a spectrum of users from non-experts to professional developers.

January 05, 2021

Weaveworks announced a $36.65 million Series C funding round.