The move to the cloud has forced many CIOs to change how they think about security. Since much of the responsibility to secure infrastructure is now outsourced to cloud providers, CIOs need to focus higher in the stack to ensure that configurations are correct and data is not inadvertently exposed.
As you assess your operations for vulnerabilities, there are three factors that can increase the chances of employees inadvertently leaving the front door of your infrastructure open:
1. Aggressively pushing out new code and features
How much pressure do you put on developers to deliver new code? When too much focus is put on getting features and code out the door, developers can inadvertently cause configuration drift. For example, if developers are constantly creating new virtual machines (VMs) to test new code and configuring them manually, they create more opportunities for errors. Developers who regularly make small changes such to production code—such as opening up additional communication ports for new app features—often create workarounds to avoid the time-consuming process of obtaining admin privileges whenever they need to make a tweak.
2. Increased interconnectivity of applications
The more connections you have with third parties or between components of an app, the greater the chances of a problematic misconfiguration. Common API errors include broken authorizations at the object level, user level, and function level.
Exposing too much information in your APIs can also give hackers clues on how to crack your code. Cloud-native containerized apps can also pose a threat since an unintentional vulnerability in a single container can enable a hacker to access your entire software stack.
3. Complexity of cloud infrastructure
The complexity of your cloud architecture has a significant impact on misconfiguration risk. A single-tenant cloud presents limited risk because no one else has code on the same machine as you. All you need to focus on is making sure your machine is configured correctly. In multi-tenant environments, the risk grows as your environment needs to be configured to make sure a hacker is not running code on a VM on the same machine. Where risk gets exponentially greater is in multicloud or hybrid architectures when code and data are stored and processed in a variety of different places. For these pieces to work together, they need to create a network of complex connections across the web, presenting many more opportunities for costly mistakes.
Managing the risk
To minimize the risk presented by configuration errors, organizations need to ensure that configurations are constantly checked and errors are identified. This can be done in a number of ways:
- In less complex systems with simpler cloud architectures and little pressure for new features, regular manual checks may be sufficient.
- As stacks get more connected and complex and manual processes are unable to scale, developers can build automated scripts to check for common and known configuration issues. While this can work for situations where complexity and connectivity is limited, if a vulnerability is accidentally created a hacker could exploit it before a scan is run.
- In very complex organizations with a high probability of a misconfiguration error, a constant monitoring approach may be prudent to continuously keep tabs on cloud configurations.
Many organizations moving to the cloud are now looking to cloud security posture management (CSPM) solutions to improve security. While many vendors are now offering platforms that will constantly monitor their own cloud systems for misconfiguration issues, these solutions typically do not work well for multicloud or hybrid cloud architectures. Since each cloud system implements things differently and uses its own terminology, a third-party solution designed to monitor multiple clouds can be a more viable option.
Regardless of how an organization chooses to protect itself from cloud security vulnerabilities, organizations adopting modern infrastructure and more flexible application development processes also need to adopt more modern security postures.