Cloud infrastructure misconfiguration has emerged as an increasingly common and destructive problem in the past year. With so many organizations moving their operations to the cloud, implementation and configuration errors are often made that can easily be exploited to gain unauthorized access to data, leaving infrastructures vulnerable to unforeseen cyber risk.
Additionally, many organizations continue to place too much faith in their cloud providers, assuming the onus is not on them but rather on their providers to ensure security. Such misguided assumptions can lead to dire consequences, however, with Gartner estimating that by 2020, 95 percent of all cloud security incidents will be the customer’s fault.
Why Misconfiguration Occurs
On the surface, overcoming cloud misconfiguration obstacles may seem straightforward enough. Theoretically, IT teams should simply be able to double check their work and ensure everything is correctly implemented before going live. However more often than not, cloud operations teams are fighting a learning curve when it comes to security implementations and may not even realize they’ve made configuration errors in the first place. Mistakes are discovered after complex migrations have taken place, making it even more difficult to backtrack, identify and resolve the myriad of errors. Furthermore, security teams don’t have the visibility they require in order to find these misconfigurations so they can fix them.
The prevalence of errors in cloud infrastructure security configurations can be attributed in large part to the fact that cloud security training is relatively new – and finding professionals educated in the finer points of cloud security is difficult. There is a large learning curve for those versed in traditional cybersecurity to become experts in cloud security, so even your current security staff experts will need time to master this new skill. This will improve over time, naturally, but when organizations don’t have the most qualified professionals doing the job, errors are inevitable and security suffers. In fact, industry analyst firm Gartner found recently that talent shortage was one of the top three risks for business executives today.
Another contributing factor to cloud configuration problems is the accelerated rate of change made possible by cloud-native platforms and agile methodologies such as DevOps. Many organizations have recognized the benefits of DevOps in accelerating delivery of new applications and services — an essential component for remaining competitive in today’s fast-paced market. However, the very principles that make DevOps so impactful (i.e. move fast, take calculated risks, use whatever resources needed to get the job done) can undercut security. For example, DevOps engineers may circumvent security processes entirely to develop and deploy apps as quickly as possible and avoid a lengthy security check. This is often the case for organizations with security teams that face double, or triple, the number of changes without the manpower or tools to meet SLAs. As a result, DevOps teams often retain control over the cloud infrastructure and new technologies such as containers that further obscure security’s visibility over existing access controls. However, removing unused and therefore unnecessary access is a security practice and not a development practice. And without visibility over existing access controls, security is blind to an application’s exposure and attack surface.
Policy-Driven Automation Benefits
Considering the ubiquity of configuration errors, an unrelenting shortage of cybersecurity professionals and the rise of fast-paced DevOps methodologies, organizations need to proactively build in controls that will ensure their cloud configurations are secure and that their implementations are compliant with both company policies and industry regulations. By leveraging the power of policy-driven automation, organizations can establish clear cloud security policies to guide their cloud teams and ensure warning flags are sent immediately if and/or when violations or misconfigurations arise.
Unlike traditional cloud security tools, policy-driven automation guarantees that all configurations are implemented with consideration of relevant policies, follow a documented process, and are proactively examined for violations before they’re approved. Policy-driven automation also offers significant benefits for the physical network environment, including effective management of network segmentation, reduced audit preparation time, guaranteed application connectivity, and accelerated application migration.
The Future Requires Central and Automated Security Policy Management
In an era of ever-increasing network complexity, cloud adoption, and audit and compliance demands, policy-driven automation is crucial. By automatically managing the complex calculations and analysis that would otherwise require labor-intensive and error-prone work, policy automation enables organizations to better leverage their existing IT teams, regardless of their skill level or workload.
Furthermore, by providing greater visibility across hybrid networks, implementing security changes in minutes instead of days, and ensuring any access changes on company networks are compliant,
policy-driven automation allows organizations to remain productive and agile in today’s highly competitive business landscape.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.