In brief video explainers and commentary, Josh Stella, co-founder and CEO of Fugue, a cloud security SaaS company, talks to business and security leaders about why outages and breaches like the recent Facebook and Twitch incidents keep happening, how cloud configuration is the new attack surface, and how companies need to move from a defensive to a preventive posture to secure their cloud infrastructure.
This month, Facebook and Twitch both suffered serious damage at their own hands, and every executive needs to understand what happened and how these types of incidents are preventable.
We've seen enterprise cloud customers fall victim to their own preventable configuration mistakes many times before. What's notable here is that Facebook and Twitch are essentially customers of their own cloud platforms. When you consider how much complexity the cloud providers have pushed to their customers, these incidents keep happening ? not because people are bad at cloud security but because it's really hard to get good at it. Let's explore that.
Why Cloud Risk Is Configuration Risk
The cloud attack surface is configuration, not the network. Configuration is essentially how you've designed and built your infrastructure. The word "configuration" can feel like a small detail, but in the cloud, configuration is a big deal. A mistake here can create vulnerabilities and break applications. A single misconfiguration can have a huge blast radius in terms of system downtime or a data breach ? and the resulting loss of revenue and customer trust.
Take a car, for example. A car has an engine, a transmission, wheels, etc. All of these components have configurations, some of which are related to safety and regulated by law. People and machines inspected the configurations of the car before it rolled off the line, which the owner may have changed over time. A safety inspector flags configuration violations because bad configuration can cause a breakdown or an accident.
In terms of scale and complexity, an enterprise cloud environment is more like an aircraft carrier. It can contain hundreds of thousands of resources, each involving dozens of configurations. Cloud engineering teams are making dozens ? or hundreds ? of configuration changes every day. Back to the car analogy, this is like swapping in a new transmission while driving down the highway at 70 mph ? without slowing down.
Clouds Change Constantly, and Every Change Brings Risk
The cloud is the most secure computing platform humans have ever produced ? if you build it correctly and ensure changes don't introduce vulnerabilities. That's the hard part.
The constant state of cloud change plays such a crucial role for the modern enterprise's success: speed and agility. Companies operating in the cloud generally realize a faster time to market than those operating in a data center. But all that change brings great risk. Humans are making configuration decisions every day and then changing them the next. How informed are those decisions when it comes to security?
Unfortunately, the answer is "not enough." This is not meant to disparage software engineers. We ask a lot from them, and they produce great things for us. But humans are terrible at keeping thousands of data points ? and thousands more rules ? in our heads. No human can possess full knowledge of a cloud-based system and the security implications each change will bring. But full knowledge of your cloud environment ? and denying your adversaries that knowledge ? is essential to keeping it secure.
As cloud environments grow bigger and more complex, this problem will only get worse.
21st Century Armchair Hacking
The good news is that cloud security teams are becoming more aware of this challenge. The bad news is that we're way behind the hackers, who have gotten very efficient at acquiring the knowledge they need to exploit cloud systems. They use automation to scan the internet looking for cloud misconfigurations they can use to access an environment. Once in, they leverage additional mistakes to discover resources, move laterally, and extract data without detection.
Twitch didn't become aware of its breach until its data started showing up on the internet, and a single server misconfiguration enabled the hacker to breach data well beyond the domain of that one server. The same thing happened to Capital One a few years ago, and they're widely recognized as being among the best at cloud security.
What Business and Security Leaders Can Do Today
Every business and security leader operating in the cloud needs to be paying attention and asking questions. You can be far more secure in the cloud than in a data center and certainly more competitive. But just because you can be more secure in the cloud doesn't mean you are today. It's safe to assume you aren't safe.
Here are five essential steps:
In a four-minute video, www.youtube.com/watch?v=naFW_Ejiqgk, Josh Stella explains in lay terms: an overview of the Facebook outage and Twitch breach, what is cloud configuration, why do misconfigurations keep happening, what business leaders can do to assess their risk, and how companies can build security into their cloud to prevent loss of revenue and trust?
About Josh Stella
Josh Stella, co-founder and CEO of Fugue, is a technical authority on cloud security. Bringing 25 years of expertise as a chief technology officer, principal solutions architect at Amazon Web Services, and advisor to intelligence agencies, Josh founded Fugue in 2013 to help companies proactively change the security paradigm and get ahead of the hackers. He wrote the first book on "Immutable Infrastructure," holds numerous cloud security technology patents, and hosts complimentary Cloud Security Masterclasses. Connect with Josh on LinkedIn and via Fugue at www.fugue.co.
About Fugue
Fugue is a cloud security SaaS company enabling regulated companies such as AT&T, Red Ventures, and SAP NS2 to ensure continuous cloud security and earn the confidence and trust of customers, business leaders, and regulators. The Fugue Platform secures the entire cloud development life cycle ? from infrastructure as code through the runtime ? with the same platform and rules across AWS, Azure, and Google Cloud. Fugue pioneered the use of Policy as Code for cloud security automation to empower engineering and security teams to move faster and do more with fewer resources. The company stands by a unique Fugue Guarantee that gives enterprises a simplified, actionable cloud compliance report in 15 minutes. For more information, connect with Fugue at www.fugue.co, GitHub, LinkedIn and Twitter.
All brand names and product names are trademarks or registered trademarks of their respective companies.
Tags: Fugue, cloud security, SaaS, Facebook, Twitch, policy as code, cloud, infrastructure as code, IaC, Josh Stella, open source, cloud security automation, network configuration, cloud configuration, cloud misconfiguration
These press releases may also interest you
|