Cloud security should be viewed by enterprises not as a roadblock, but as a means of enabling innovation, according to Snyk Chief Architect Josh Stella.
Cloud infrastructure environments often foster complex misconfigurations that can result in system downtime or major breaches.
Those misconfigurations can range from simple errors involving single resources to broader architectural design flaws involving multiple resources that are harder for security teams to catch, Stella explained.
Misconfigurations are a globally recognized problem, according to the National Security Agency. “Misconfiguration of cloud resources remains the most prevalent cloud vulnerability,” and adds a good deal of complexity to securely configuring the cloud, the agency stated in a recent report.
Because cloud computing is based in software, these mistakes are “entirely preventable,” Stella said. He suggests implementing these five strategies to avoid cloud security mistakes.
Think Like a Hacker
Knowing your environment is foundational to successfully securing it. Stella recommends understanding how all pieces of your environment run in full context — how it’s designed and deployed, and how hackers might exploit it.
“If you’re solely focused on eliminating individual misconfigurations, you need to get it right 100% of the time, when hackers only need to get lucky once. You need to understand what an attacker could do should they penetrate your environment,” Stella explained.
Integrate Security and Design
At the point that an attacker gains access to your environment and compromises the control plane, it’s too late to detect and stop the attack.
The trick is to prevent misconfigurations from being deployed in the first place. This is done by designing cloud environments to protect the control plane from adversaries and decrease the blast radius of any potential attack, Stella said.
Successful and secure organizations have added security considerations to their design processes to prevent the types of cloud vulnerabilities attackers target in initial deployment processes.
The third strategy Stella observes in practice at organizations with comprehensive cloud security is shifting security left.
This means empowering developers and DevOps engineers — everyone involved in designing, developing and managing cloud infrastructure — with tools to help them design and deploy securely, said Stella.
“This is a sea change in the relationship between your security team, developers, and operations,” he noted. “Security teams take on the role of security architects, guiding other teams.”
Implement Policy as Code
The technology enabler for the aforementioned strategy is policy as code. By aligning all teams under “the same source of truth regarding security,” enterprises can build a scalable technological foundation for cloud security, Stella said.
Building applications for the cloud is different from the traditional practice of shoving apps into data center physical infrastructure because it includes creating the infrastructure for the applications. That’s done with code, meaning DevOps and developers are in charge of that process.
“This new paradigm compels the security team to become the domain experts on secure cloud architecture and impart that knowledge to the developers to help them build securely,” Stella explained. The way they do that is through policy as code.
Policy as code allows security teams to share security and compliance rules via a programming language that an application uses to check configurations for mistakes. This can be done automatically to check other code or running environments for “dangerous misconfigurations” or other unwanted conditions, Stella said.
“This means all cloud stakeholders are operating on the same page on security without ambiguity or disagreement on the rules, and different teams are empowered to apply policy at every stage of the software development life cycle,” he explained.
Automating that process of finding and fixing cloud misconfigurations is crucial to eliminating vulnerabilities before attackers can get to them. It also decreases the manual burden on security teams that are stretched thin amid the skills shortage.
“When that automation is built on policy as code, you can scale it as cloud use and complexity grows. And developers can use those same policies to ensure infrastructure is secure pre-deployment to reduce the frequency of misconfigurations that need to be addressed by security teams,” Stella added.
Measure What Matters
Finally, secure enterprises identify key risk, velocity, and security investment metrics to track before establishing baselines, setting targets, and measuring progress.
“You need to know where you stand today on cloud security, where you want to go, and be able to measure your progress along the way,” Stella said. Consider how much risk you’re taking in the cloud, how quickly your teams deliver cloud security progress, and how many engineering hours are invested in cloud security, for example.
These strategies are in practice at many organizations with effective cloud security programs and should be possible for any enterprise to emulate, Stella concluded.
BRAMS Partnership with the leader
With its expertise, BRAMS offers you market-leading cloud solutions billed per use. With BRAMS, now you can unleash your full potential and focus on what matters most: Your activities with maximum security for your system. Thanks to its partnerships and collaboration with the biggest global cloud pioneers: Microsoft, Amazon Web Services, IBM Cloud and Google Cloud, Brams has become a multi-industry focus, to support companies of different sectors and sizes to move to the Cloud for more than two decades of expertise.
Get in touch with an Expert ..