As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Josh Stella of Snyk says it’s time to get in the bell and dive deeper into how we secure the cloud infrastructure.
Verizon recently released its 15th Annual Data Breach Investigations Report (DBIR), documenting another active year in the lives of cyber-criminals. The Verizon team put the state of cyber-crime into context, writing: “From very well publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months.” This should give a great many companies pause.
Most organizations remain a step or more behind the “bad guys” despite their best attempts to thwart cyber intruders. Enterprises are bringing knives to a gunfight by applying old tools to a new threat landscape they have yet to grasp thoroughly. Because cloud attackers don’t typically traverse traditional networks that can be monitored and addressed with familiar solutions, security teams are forced to navigate an unfamiliar and rapidly changing cloud environment— and are over-rotating on one area.
Beyond the Entry Point
With the majority of new applications and developer workflows now in the cloud, most attackers don’t have to work too hard to find an initial entry point into enterprise systems. They deploy automated technology to scan for any vulnerabilities in apps or infrastructure. In minutes, they can generate an array of options. While technologies to ensure security updates and proper cloud configurations are improving, they’re still not enough— even when they’re catching hundreds of misconfigurations a day. Sooner or later, someone will slip through and gain access to the cloud API control plane. This is an event for which companies are ill-prepared.
In the cloud, developers use cloud provider APIs to build and manage their cloud environments, often programming these tasks using infrastructure as code (IaC) tools. They’re defining and changing security-critical configurations in real-time, bringing a more significant risk of misconfiguration and, thus, vulnerabilities. In the wrong hands, the collection of APIs used to configure and operate the cloud is a potent and dangerous tool, and preventing this access must be a top priority for every cloud security team.
Securing the Control Plane
Here are the top steps teams should take to reduce risk at the control plane, where architecture is most vulnerable.
- Expand your definition of cloud misconfiguration. Security teams must consider misconfigurations of the whole environment involving multiple resources and how they relate to each other. So, when security teams assess the blast radius of any potential penetration event, they need to look at resource access policies as well as identity and access management (IAM) configurations to identify overly permissive settings. Attackers can exploit these for discovery, movement, and data extraction. Once identified, they can collaborate with DevOps teams to rework and address these vulnerabilities. Addressing architectural security in the design and development phases puts a company in a much better position to defend against these attacks.
- Adopt policy as code (PaC) to align teams and automate security. Using a PaC approach empowers teams to express security and compliance rules in a programming language that an application can use to check the correctness of configurations and identify unwanted conditions or things that should not be. It also aligns all teams under a single source of truth for security policy, eliminates human error in interpreting and applying that policy, and powers security automation (evaluation, enforcement, etc.) at every stage of the software development life cycle (SDLC), which is pretty cohesive and effective when put in practice.
- Use PaC to check cloud security pre-deployment. Engineers are using IaC to express the infrastructure they want and deploy it automatically, providing the opportunity to ensure infrastructure is secure pre-deployment — rather than just after the fact. Doing so enables teams to design inherently more secure environments by preventing the introduction of misconfiguration to environments and minimizing threats to the control plane. This has the added benefit of reducing the burdens on security teams who are managing misconfiguration alerts and engineering teams tasked with remediating them. It can also help speed up deployment approval processes.
- Don’t get overly confident and keep an eye on the running system. You can’t prevent every cloud vulnerability in the development phase, so you need deployment guardrails and continuous monitoring of the running environment. Enterprises should use automated security checks built into the continuous integration and continuous delivery (CI/CD) pipeline, which can alert the team if there’s an issue — and even block a build if the issue is critical. And once cloud infrastructure is deployed and running, understand that changes will keep happening, even outside of your approved and automated pipeline. Continuously monitor the state of your environment to identify and remediate any dangerous changes that have been made.
- Champion cloud security architecture expertise. The cloud landscape is rapidly changing, and it is imperative that cloud security engineers work closely with developers and DevOps teams to stay on top of new use cases in order to continue improving and securing applications throughout the development process. Ensure you understand the architectures in use, the applications they support, and how data is being used. This collaboration and knowledge is vital for safeguarding the cloud control plane and sensitive data.
These steps should help render any attack penetration event moot— before it occurs. Even if the stealthiest attacker reaches the control plane, he or she will gain nothing from the effort.
- Dive Deeper: Reconsidering How to Secure Cloud Infrastructure - September 27, 2022