In every cloud-based data breach we've learned about, misconfiguration mistakes played a central role. These misconfiguration "rogue waves" have hit some of the biggest and most advanced cloud customers — Twitch recently, and Uber, Imperva, and Capital One before it. All of these attacks involved a complex chain of exploits against cloud provider API control planes.
Security concerns are clearly no longer a barrier to cloud adoption, but a perfect storm of cloud risk has arrived. Let's examine this perfect storm and its three drivers and build a strategy to safely navigate through it.
1. Cloud Complexity Is Increasing
The major cloud providers — primarily Amazon Web Services (AWS), Microsoft Azure, and Google Cloud — are locked in an innovation race to offer new services. AWS alone offers more than 200 infrastructure services, and each comes with unique configuration options and security considerations. And whether by strategic choice, acquisitions, or happenstance, most enterprises now have a multicloud footprint that requires a multicloud security strategy.
The typical enterprise cloud environment can contain hundreds of thousands of interrelated resources spanning multiple cloud accounts and business units. Each use case brings different security requirements and must be governed according to global enterprise security and regulatory policies, as well as local ones. These policies are subject to differing human interpretations during manual audits.
While the cloud providers continue to introduce more security tools, it's not enough. As cloud security expert Scott Piper put it, "[P]eople don't understand their cloud environments as well as they would like to. ... [T]hat is where I think a lot of the misconfigurations come into play." The choice for many organizations is whether to move fast and assume additional risks or to slow down delivery and certify that everything is secure and in compliance before deployment.
2. Hackers Are Now Cloud Security Experts
As cloud environments become more complex, hackers have gotten really good at exploiting our mistakes. They've embraced automation that scans the internet to detect cloud vulnerabilities within minutes of their deployment.
Once in your environment, hackers know how to leverage cloud architecture flaws — themselves a form of misconfiguration — to expand the blast radius of any initial security gap. These flaws usually allow identity and access management (IAM) resources to discover more about the environment, move laterally, and steal data. The Twitch breach initially involved a misconfigured server, but the attacker ultimately exploited a chain of vulnerabilities to steal customer data and sensitive source code for not only Twitch but also its parent, Amazon.
Once an attack against the cloud API control plane is underway, it's too late to stop it. Often, cloud customers aren't aware they've been hacked until their data shows up on the Dark Web (in Twitch's case) or the hacker brags about it online (the Capital One breach). As cloud economist Corey Quinn said on his Screaming at the Cloud podcast: "So, what is your primary means of breach detection? And the answer honestly is, 'The front page of the New York Times.'"
3. The War for Cloud Engineering Talent
The demand for cloud engineering talent is exploding, which is reflected in compensation. According to recruiters cited by the Wall Street Journal, "People with cloud skills are generally getting two or three strong offers, often with packages worth hundreds of thousands of dollars as well as stock options."
Every company operating in the cloud is competing with tech giants over cloud engineers, including those already on their team. Most of those companies don't have the deep pockets and attractive stock options the tech giants do. And as Gartner's Lydia Leong said, "It's not just big tech. Every SI and MSP on the planet is chasing technical people everywhere."
Strategies for Steering Through the Storm
1. Establish complete awareness of your environment and security posture. Cloud breaches happen because security teams lack the visibility they need to detect vulnerabilities across a complex cloud resource graph. Executives should ask for a report detailing the complete configuration state and security posture of their cloud environment — and security teams should be able to produce one at any time.
2. Focus on building secure architecture and preventing misconfiguration. Cloud security is an architectural and process concern, and every misconfiguration is a failure of either design or process. Give DevOps engineers tools that flag mistakes in their infrastructure as code and explain how to fix them. Put security guardrails in your CI/CD pipelines to prevent deploying misconfiguration vulnerabilities.
3. Build scalable cloud security using policy as code-driven automation. Policy as code is the only way to effectively support multiple business units — and their myriad use cases and local policy requirements — without slowing them down. A good place to start is Open Policy Agent, a Cloud Native Computing Foundation project used by major enterprises including T-Mobile, Goldman Sachs, and Netflix.
With a holistic approach to cloud security that helps software engineers develop secure cloud infrastructure, prevents misconfiguration in deployment, and is built on a consistent and scalable foundation of policy as code, enterprises can safely scale their use of the cloud and steer clear of the dangers that have befallen otherwise sophisticated enterprise cloud customers.