Le Lézard
Classified in: Science and technology
Subjects: Photo/Multimedia, Product/Service

Why Facebook Outage and Twitch Breach Matter to Business Leaders


In brief video explainers and commentary, Josh Stella, co-founder and CEO of Fugue, a cloud security SaaS company, talks to business and security leaders about why outages and breaches like the recent Facebook and Twitch incidents keep happening, how cloud configuration is the new attack surface, and how companies need to move from a defensive to a preventive posture to secure their cloud infrastructure.

This month, Facebook and Twitch both suffered serious damage at their own hands, and every executive needs to understand what happened and how these types of incidents are preventable.

We've seen enterprise cloud customers fall victim to their own preventable configuration mistakes many times before. What's notable here is that Facebook and Twitch are essentially customers of their own cloud platforms. When you consider how much complexity the cloud providers have pushed to their customers, these incidents keep happening ? not because people are bad at cloud security but because it's really hard to get good at it. Let's explore that.

Why Cloud Risk Is Configuration Risk

The cloud attack surface is configuration, not the network. Configuration is essentially how you've designed and built your infrastructure. The word "configuration" can feel like a small detail, but in the cloud, configuration is a big deal. A mistake here can create vulnerabilities and break applications. A single misconfiguration can have a huge blast radius in terms of system downtime or a data breach ? and the resulting loss of revenue and customer trust.

Take a car, for example. A car has an engine, a transmission, wheels, etc. All of these components have configurations, some of which are related to safety and regulated by law. People and machines inspected the configurations of the car before it rolled off the line, which the owner may have changed over time. A safety inspector flags configuration violations because bad configuration can cause a breakdown or an accident.

In terms of scale and complexity, an enterprise cloud environment is more like an aircraft carrier. It can contain hundreds of thousands of resources, each involving dozens of configurations. Cloud engineering teams are making dozens ? or hundreds ? of configuration changes every day. Back to the car analogy, this is like swapping in a new transmission while driving down the highway at 70 mph ? without slowing down.

Clouds Change Constantly, and Every Change Brings Risk

The cloud is the most secure computing platform humans have ever produced ? if you build it correctly and ensure changes don't introduce vulnerabilities. That's the hard part.

The constant state of cloud change plays such a crucial role for the modern enterprise's success: speed and agility. Companies operating in the cloud generally realize a faster time to market than those operating in a data center. But all that change brings great risk. Humans are making configuration decisions every day and then changing them the next. How informed are those decisions when it comes to security?

Unfortunately, the answer is "not enough." This is not meant to disparage software engineers. We ask a lot from them, and they produce great things for us. But humans are terrible at keeping thousands of data points ? and thousands more rules ? in our heads. No human can possess full knowledge of a cloud-based system and the security implications each change will bring. But full knowledge of your cloud environment ? and denying your adversaries that knowledge ? is essential to keeping it secure.

As cloud environments grow bigger and more complex, this problem will only get worse.

21st Century Armchair Hacking

The good news is that cloud security teams are becoming more aware of this challenge. The bad news is that we're way behind the hackers, who have gotten very efficient at acquiring the knowledge they need to exploit cloud systems. They use automation to scan the internet looking for cloud misconfigurations they can use to access an environment. Once in, they leverage additional mistakes to discover resources, move laterally, and extract data without detection.

Twitch didn't become aware of its breach until its data started showing up on the internet, and a single server misconfiguration enabled the hacker to breach data well beyond the domain of that one server. The same thing happened to Capital One a few years ago, and they're widely recognized as being among the best at cloud security.

What Business and Security Leaders Can Do Today

Every business and security leader operating in the cloud needs to be paying attention and asking questions. You can be far more secure in the cloud than in a data center and certainly more competitive. But just because you can be more secure in the cloud doesn't mean you are today. It's safe to assume you aren't safe.

Here are five essential steps:

In a four-minute video, www.youtube.com/watch?v=naFW_Ejiqgk, Josh Stella explains in lay terms: an overview of the Facebook outage and Twitch breach, what is cloud configuration, why do misconfigurations keep happening, what business leaders can do to assess their risk, and how companies can build security into their cloud to prevent loss of revenue and trust?

About Josh Stella

Josh Stella, co-founder and CEO of Fugue, is a technical authority on cloud security. Bringing 25 years of expertise as a chief technology officer, principal solutions architect at Amazon Web Services, and advisor to intelligence agencies, Josh founded Fugue in 2013 to help companies proactively change the security paradigm and get ahead of the hackers. He wrote the first book on "Immutable Infrastructure," holds numerous cloud security technology patents, and hosts complimentary Cloud Security Masterclasses. Connect with Josh on LinkedIn and via Fugue at www.fugue.co.

About Fugue

Fugue is a cloud security SaaS company enabling regulated companies such as AT&T, Red Ventures, and SAP NS2 to ensure continuous cloud security and earn the confidence and trust of customers, business leaders, and regulators. The Fugue Platform secures the entire cloud development life cycle ? from infrastructure as code through the runtime ? with the same platform and rules across AWS, Azure, and Google Cloud. Fugue pioneered the use of Policy as Code for cloud security automation to empower engineering and security teams to move faster and do more with fewer resources. The company stands by a unique Fugue Guarantee that gives enterprises a simplified, actionable cloud compliance report in 15 minutes. For more information, connect with Fugue at www.fugue.co, GitHub, LinkedIn and Twitter.

All brand names and product names are trademarks or registered trademarks of their respective companies.

Tags: Fugue, cloud security, SaaS, Facebook, Twitch, policy as code, cloud, infrastructure as code, IaC, Josh Stella, open source, cloud security automation, network configuration, cloud configuration, cloud misconfiguration


These press releases may also interest you

at 13:20
Coalition, the world's first Active Insurance provider designed to prevent digital risk before it strikes, today announced that Coalition Insurance Company (CIC), the full-stack Active Cyber Insurance carrier, is now open for quoting Coalition's...

at 13:20
Blumira, a leading security and operations platform, today announced tech industry veteran Haiyang Li has joined the company as its vice president of engineering, effective March 18. Li joins the Blumira leadership team with extensive experience...

at 13:16
Risas Dental & Braces ("Risas"), a dental and braces provider that serves patients in Arizona, Colorado, Texas, and Nevada, has learned of a data security incident that may have involved the protected health information of certain Risas patients....

at 13:15
The "Long-Acting Drug Delivery Technologies and Services Market: A Global and Regional Analysis, 2023-2033" report has been added to ResearchAndMarkets.com's offering. As of 2022, the global long-acting drug delivery technologies and services...

at 13:15
The "Global Organoids And Spheroids Market Analysis & Forecast to 2024-2034" report has been added to ResearchAndMarkets.com's offering. The global organoids and spheroids market size was estimated to be USD 0.781 billion in 2023 and is anticipated...

at 13:07
While many schools will be closed on April 8, 2024 for the total solar eclipse, Western Reserve Academy (WRA) in Hudson, OH is using the day to celebrate its place in the path of totality, and its place in history....



News published on and distributed by: