Security teams should understand that cloud infrastructure differs dramatically from data center infrastructure. Vulnerabilities, attack patterns and security solutions are all different.
The cloud is not just a remote data center in the sky. DevOps developers and engineers build their cloud infrastructure when they need it and can make (and change) infrastructure decisions on the fly, including security-critical configurations. With every change comes a new risk of misconfiguration that leaves cloud environments and data open to attack, and make no mistake: bad guys will find it.
This represents a sea change in the role of the security team and how they go about securing the cloud. Attackers don’t traverse traditional networks that security teams can monitor with familiar solutions, such as intrusion detection and network security tools.
When developers build apps in the cloud, they also build the infrastructure for their apps, instead of waiting for IT teams to provide them with the physical infrastructure they need. This process is now done with code, which means that the basic mechanism of communication in cloud computing is the application programming interface (API) – the “middleman” software that allows different applications to interact. . This eliminates a fixed IT architecture requirement in a centralized data center.
It also means that the traditional data center security model — erecting an outward-facing barrier around the network perimeter to block inbound attacks — doesn’t apply in the cloud.
In an entirely software-defined world, the role of the security team becomes that of subject matter experts who impart their knowledge to the people who create applications (developers) to ensure that they are working in a secure environment. This dissemination of knowledge is done with politics as code (PaC), which allows developers to express security and compliance rules in a programming language that an application uses to verify the correctness of configurations.
PaC checks other code and runtime environments for undesirable anomaly conditions. It allows all cloud stakeholders to operate securely without ambiguity or disagreement about rules and how to apply them at both ends of the software development lifecycle (SDLC).
The security team must also change their mindset by trying to detect intrusions as they occur. It’s just not possible in the cloud. By the time they spot any suspicious activity, the hackers will have taken what they want and slipped away. Prevention has become the only hope in cloud security because hacks are too fast and hard to notice in real time.
Here are 10 questions every cloud security team should answer to effectively secure their cloud environment and data:
- How well do we understand our cloud environment and use cases? Cloud security teams can’t do their job if they don’t work closely with developers and DevOps teams to understand the architecture of their cloud environment, the applications supported by the infrastructure, the data involved, and the SDLC for the infrastructure.
- How non-compliant is our environment? It has become a fundamental but important question. Determining the answer requires regular review of the organization’s security policies and regulatory compliance standards. Most enterprise environments are not compliant. So create a prioritized remediation plan that defines specific steps and timelines to bring the cloud environment into compliance.
- How many misconfigurations do we see? The answer will depend on the size and complexity of the cloud environment, but is significant in terms of risk and the engineering resources needed to manage it. Enterprise-scale cloud environments can experience dozens or hundreds of misconfiguration deployments every day. Put processes in place to quickly identify and prioritize them by severity, then link those issues to IaC so the team can streamline resolutions.
- Are we reducing the misconfiguration rate? Cloud security can become a never-ending mole game unless teams take steps to prevent misconfigurations earlier in the SDLC, including continuous integration and continuous delivery (CI) safeguards. /CD) and IaC controls. Knowing which vulnerabilities have been discovered and patched is only one piece of the overall security puzzle. The team will also want to know what proactive steps are being taken at this time to reduce the frequency of deployed misconfigurations by checking IaC in development and in CI/CD pipelines.
- How could hackers attack the environment? Every major cloud breach involves attackers compromising the cloud API control plane for discovery, move, and mining. Security teams need to understand how these attacks occur and protect against them with secure architecture design. Think like a hacker to understand the potential blast radius of any initial penetration into your environment.
- Are we rotating cloud API keys correctly? The API control plane functions as the collection of APIs used to configure and operate the cloud. Attackers covet API keys they can use to exploit cloud environments, and these are often left in many places, including source code and on disks. Rotating API keys regularly has become one of the fastest ways to guard against this risk, but coordinate closely with application teams when changing key rotation.
- Can we respond to a zero-day event? Attackers don’t adhere to the arbitrary boundaries we tend to draw around certain parts of our system. They move freely between application and infrastructure layers to get what they are looking for. Security teams need an unobstructed top-to-bottom view of the technology stack to get full context of their security posture and immediately identify the blast radius risk of any vulnerability when it surfaces.
- How are company cloud security policies expressed? If security policies live in rulebooks and checklists, then the company requires its team members to memorize the rules. This increases the risk of human error. Express all policies in PaC to eliminate ambiguity and differences in interpretation and automate enforcement.
- Are we retaining the other teams? Security has become the biggest factor limiting the speed at which teams can move into the cloud and the success of digital transformation efforts. It’s not enough to make sure everyone is working securely in the cloud: security teams need to help the organization scale faster. Regularly measuring developer throughput will help identify delays due to manual security review and approval processes that are slowing developer productivity levels.
- Do we have what it takes to succeed? Effective cloud security requires the right tools, the right skills (especially cloud engineering and architect skills) and a holistic approach to the bridge between teams and cost centers, including the C suite. can only be successful with senior executives supporting developers and security with adequate investments of budget and time.
Companies should set up the job of securing a company’s cloud infrastructure as a constant, never-ending process, like a continuous fitness routine. Implement a policy requiring consistent reporting of the organization’s cloud security posture. Security teams will find this easier to do once they have adequately answered these 10 questions.
Josh Stella, Chief Architect, Snyk