COVID-19 Shines a New Light on Cloud Misconfiguration Risk
April 14, 2020

Josh Stella
Fugue

With very few exceptions, all software engineering teams are now operating in a fully distributed mode due to the COVID-19 crisis and our efforts to keep team members safe and avoid spreading the virus. For teams that were already fully distributed, the interruptions are likely minimal. But those that are making the rapid transition from fully- or partially-colocated to 100% distributed are experiencing significant disruptions to their operations — and their cloud security posture.


Without new security steps in place, the adoption of new devices, access patterns, and processes used to maintain cloud environments while working from home increases the risk of cloud-based data breaches, cryptomining, and serious compliance violations. Cloud security risks are heightened when everyone is experiencing extraordinary amounts of stress and distraction. Mistakes can be made in times like these. And malicious actors are constantly watching, and more than happy to take advantage of those mistakes.

The Shared Responsibility Model of cloud security allows us to externalize a lot of security risks and costs to cloud providers like Amazon Web Services, Microsoft Azure, and Google Cloud Platform. But the security responsibilities that remain with the cloud customer are quite different from security in the data center. With cloud, security is focused on ensuring the correct configuration of cloud resources, and in turn, avoiding misconfiguration. Since a workforce accesses the cloud through cloud services, such as Security Groups and Identity and Access Management (IAM) services, the threats due to cloud misconfiguration can increase when that workforce becomes more distributed.

While cloud misconfiguration is a 100% preventable problem on the cloud customer's side of the Shared Responsibility Model, it remains the number one cause of cloud-based data breaches. The National Security Agency states that "misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services." While cloud providers can educate and alert customers about potential risks, they can't prevent their customers from creating misconfigurations. Preventing customers from making such errors would severely limit the power and flexibility of cloud. 

But If Cloud Misconfiguration Is Preventable, Why Does It Keep Happening?

With the cloud, there's no perimeter to defend, traditional security tools aren't typically effective, and IT professionals often don't understand it. Cloud customers widely recognized as cloud security leaders can fall victim to their own misconfigurations. For example, if a Security Group is configured to allow SSH access to a remote worker's network, bad actors can find and exploit it within minutes. It can be difficult to distinguish malicious access patterns from legitimate ones, and traditional security tools can't detect these attacks.

Adding to this challenge is the fact that developers are continuously building and modifying their cloud infrastructure, so the attack surface has become highly dynamic. This makes gaining visibility into the state and security posture of cloud environments an ongoing struggle.

And while the most common methods of managing cloud misconfiguration are largely manual (e.g. reviewing alerts, remediating issues, conducting audits), malicious actors use automation tools to find and exploit misconfiguration almost as soon as they're created. Once they find a resource misconfiguration that gives them access to a cloud environment, they exploit additional misconfigurations to move laterally, discover resources, and extract data.

The good news is that while traditional security tools and approaches may be insufficient for keeping cloud environments secure, developers are empowering themselves to address the problem. They're using policy-as-code to automate certification processes and compliance reporting while removing human error from the equation. And they've adopted a "Shift Left" approach to moving security earlier in the software development lifecycle when making corrective changes is faster and less costly.

Companies that empower their developers to take on the security of their cloud environments have a leg up on avoiding cloud-based data breaches landing them in the headlines.

The COVID-19 crisis is already impacting the cloud industry. We're already seeing a surge in cloud demand, likely due to the rapid adoption of online collaboration tools. But expect to see a longer-term cloud adoption trend as companies who previously opted to continue managing their own data centers face previously unforeseen challenges. Existing data center capacity may be insufficient in supporting newly-distributed teams with the surge capacity that an increased demand for online services. Ensuring the safety of datacenter workers and maintaining sufficient staff levels are now front burner issues. And there will be fresh concerns over global supply chains and the ability to acquire physical infrastructure needed to maintain operations.

And with a new wave of cloud adoption comes more cloud misconfiguration risks and more opportunities for malicious actors to exploit.

Josh Stella is CTO of Fugue
Share this

Industry News

April 14, 2021

SmartBear has integrated TestComplete, its UI test automation tool, with BitBar, its native mobile device cloud.

April 14, 2021

Elastic announced an expanded strategic partnership with Confluent to deliver the best integrated product experience to the Apache Kafka and Elasticsearch community.

April 14, 2021

Threat Stack announced its ability to support AWS Graviton2-based instances through the Threat Stack Cloud Security Platform.

April 13, 2021

Broadcom and Google Cloud announced a strategic collaboration to accelerate innovation and strengthen cloud services integration within the core software franchises of Broadcom.

April 13, 2021

Nylas announced the launch of Components, JavaScript UI/UX solutions that allow developers to bring productivity features to market faster without needing to design front-end elements from scratch.

April 13, 2021

Perforce Software announces its new version control desktop client — Helix Sync — enabling non-coders such as artists and designers to version digital assets, with a simple drag-and-drop UI.

April 12, 2021

ShiftLeft introduced ShiftLeft CORE, a unified code security platform.

April 12, 2021

GrammaTech announced a new version of its CodeSonar SAST (static application security testing) product that helps developers build safer and more secure code without disrupting workflows.

April 12, 2021

Panaya announced a strategic partnership with Being Guided, a Salesforce Consulting Partner, specializing in the CRM and Salesforce ecosystem, to bring Panaya's ForeSight solution to a wider audience.

April 08, 2021

Palo Alto Networks announced the second generation of Checkov, the static analysis tool for infrastructure as code (IaC).

April 08, 2021

Postman now allows any team with up to three members to collaborate in Postman with unlimited shared workspaces and unlimited shared requests at no cost.

April 08, 2021

Taos, an IBM company, has announced 24x5 managed service availability.

April 07, 2021

VMware unveiled expanded cloud workload protection capabilities to deliver security for containers and Kubernetes.

April 07, 2021

Catapult CX is launching the DevOps Institute’s (DOI) Assessment of DevOps Capabilities (ADOC).

April 07, 2021

Equinix announced that Tinkerbell, an all-in-one open source bare metal provisioning platform, has added significant new features since joining the Cloud Native Computing Foundation (CNCF) Sandbox program.