Cloud-native companies and larger companies migrating to cloud environments continue to see the cloud as a way to gain speed, reliability, and other well-known benefits. But there are still plenty of pitfalls that can undermine security and negatively impact operations. To help remedy this situation, this post outlines some of the mistakes that operators make most frequently, along with best practices and recommendations they can follow to proactively reduce risk, achieve their security goals, and continue along the path to stronger cloud security maturity.
1. Key differences between cloud environments and traditional on-prem and hybrid cloud environments
Believe it or not, cloud can still be a brand new concept for many old school security teams. This leads them to try porting over the traditional, on-premises security skills they have developed over a long career and apply them to a cloud environment that is fundamentally different.
Many of these old school security teams struggle to understand the nuances of access in cloud environments. The same CSO who wouldn’t allow a developer physical access to their data center doesn’t think twice about giving that developer full access to an AWS account.
The same concept applies to organizations with hybrid cloud environments. They attempt to mirror their private cloud security policies to a public cloud environment, and that can lead to all kinds of security and operational headaches down the road. In cases such as these, there is a need for the old school practitioners to develop a new mindset that’s based on the specific characteristics of cloud environments and the security measures that are suited to the cloud.
2. Trends in threats facing organizations that have cloud-native environments
Threats facing cloud-native environments are fundamentally centered on the abuse of identity access and the exploitation of short-term mistakes to create long-term impacts. Malicious actors realize that attacking a fully hardened system is extremely difficult. This is why the majority have shifted to constantly scanning target public cloud accounts, looking for the slightest mistake they can use as a foothold into the system.
Once they gain that foothold, they look for ways to expand and move laterally as we described in our anatomy of a sophisticated attack on public cloud infrastructure. The kinds of footholds that malicious actors exploit can take many forms including a developer forgetting to take down a test or neglecting to patch a new vulnerability.
The challenge with these small mistakes is that they can have a very long shelf-life. In the old days of on-premises data centers, it was much easier to control these types of mistakes, but in cloud environments, a system that has been left accessible for a very short period of time can come back to bite you months down the road.
3. How companies can address these trends
The specifics of how organizations address these trends can and should vary in terms of each company’s unique risk environment, but the fundamental principles remain the same across the board:
- Understand who is accessing your system.
- Control who has access and what they can access.
- Monitor these controls to ensure that they are effective, and keep learning how to continue on your path to increased cloud security maturity.
4. Recommendations for identifying and assessing risk in order to determine security priorities
It all comes down to security observability. To make any meaningful change, you first need to have an understanding of your cloud environment. Once you understand your current state, you can create an ongoing plan that’s designed to strengthen your cloud security observability and overall security maturity, taking into account the realities of your unique environment and business goals.
The truth is that there will always be some level of risk involved in a business. An organization should aim to minimize that risk as much as possible without slowing down the speed of their business and enabling developers to do their job effectively.
5. Some of the most common challenges companies face in cloud-native environments
The vast majority of challenges boil down to resource prioritization. There is a limited supply of both human talent and financial budget. It is up to the Security and Development teams to agree on the proper allocation of those resources, and this inevitably leads to something getting deprioritized.
This calculus becomes much more difficult in a cloud-native environment because of the disconnect between Security teams that don’t understand the nuances of public cloud infrastructure and Operations and Development teams that are being driven by the C-suite to increase efficiency as much as possible and get new applications out the door quickly.
6. Specific steps companies should take to become more mature in their cloud security controls and monitoring solutions over time
One of the biggest steps companies can take is eliminating manual actions as much as possible. The vast majority of incidents start with a manual change that doesn’t have a peer review, doesn’t follow defined processes, or requires someone to manually decommission it at a later date. There are way too many opportunities for a change like that to go wrong, and it often does. (Patrick Cable, Threat Stack’s Director of Platform Security, created Trash Taxi in response to this type of problem. Taxi Trash is an open source tool that enables an organization to balance its need to allow some amount of access to a machine, while ensuring that the machine is terminated at a later time. Developers get the information they need, Operations can share responsibility, and Security can sleep (slightly more) soundly at night.)
Another big step is to begin isolating systems that don’t need to talk together. By limiting access and permissions only to what is required, for both systems and people, you can drastically reduce the blast radius of attacks by limiting the ability of users and systems to move around your environment.
In addition, you can opt to require stronger authentication for sensitive operations, such as online payments. Not all parts of your environment are created equal, and forcing stronger authentication where necessary allows you to enforce a heightened security posture on your most critical items, without slowing down users at every step of their work.
While enacting a zero-trust mentality to people and systems may sound simple, it often leads to issues within the business and can make jobs more difficult. This leads to another and much more abstract step that organizations should take: Shift the perception of security from a business inhibitor to a trusted partner. This requires both strong technical and interpersonal skills on the security team. You need to be able to explain why Joe from Accounting does not necessarily need access to the AWS account even if that access saves him ten minutes during his end-of-month budget review process. Relating security to a tangible impact that Joe can understand and respect can go a long way in collaboration and adoption
7. How companies can continue to strengthen their security maturity over time
It’s important to understand that security is never done. It’s a process that continues to mature and adapt over time to reflect changes in your infrastructure and business priorities. Also, security maturity is not the same for every company.
Startups are maniacally focused on development and growing as fast as possible. This can typically mean a higher tolerance for certain types of risk if it means a new product can get to market faster. Large legacy vendors, on the other hand, can have a much lower tolerance for introducing new risk to the environment but are hampered with a mountain of tech debt and all the inherent risk that brings.
8. Some of the common challenges that companies face as they shift to containers
Containers and serverless can lead to false security assumptions because all too often the people building these environments don’t fully understand the risks involved.
Containers are great when they’re deployed properly, but the ease of deployment can give developers a false sense of security. It’s important to remember that just because you don’t touch something, doesn’t mean it doesn’t exist, and there can be a ton of risk in the belly of a container orchestration if the building blocks weren’t deployed properly.
Some Final Advice . . .
At the end of the day an organization needs to develop a detailed understanding of its cloud environment, create an actionable roadmap to reduce risk, and explain this risk to the business.
If you’re interested in learning more about how Threat Stack can help address your security requirements, download a copy of our SOC Report for Q3, 2019, take a look at our SecOps Program℠, and feel free to sign up for a demo of the Threat Stack Cloud Security Platform®.