A survey of 300 IT professionals by Fugue, a cloud infrastructure security provider, reveals that most enterprises are vulnerable to security events caused by cloud misconfiguration, including data breaches and system downtime events.
From the report:
- Nine in ten have real concerns about security risks due to misconfiguration, and less than a third continuously monitor for them.
- Teams report a frequency of 50 or more misconfigurations each day, yet half of the teams only review alerts and remediate issues on a daily—or longer—timeframe, leading to dangerously long infrastructure vulnerability periods.
Of course, this report (like any vendor-sponsored report) is self-serving. But the message reflects something that I’m seeing a lot today in the real world—and it’s scaring the hell out of me.
Misconfiguration means that the public cloud server instances, such as storage and compute, are configured in such a way that they are vulnerable to breaches. For example, the National Security Agency recently had an embarrassing moment when someone was able to access secure documents from its Amazon S3 instance with just a browser. It was a classic example of misconfiguration, defeating the default configurations that are secure be default.
While this seems like a “duh, dummy” moment, the reality is that public cloud configuration is complex, takes specialized training, and if not done right means any security systems you layer on top of your cloud can’t stop hackers running away with your data.
So, what are you to do? Do these three things, in this order:
- Understand that configurations are part of security. It’s often not considered. Indeed, I’ve had to explain the importance of these 20 times to clients in the last six months, which means that they have not been practicing holistic security.
- Use a third-party security tool that can look at configurations constantly. That way, you are not dependent on what native cloud native is telling it; instead, it provides a constant independent check and alerts you when things are misconfigured.
- Engage outside security testers to ensure that everything is configured correctly. I’ve often found that these audits do find things that a client missed.
The complexities of cloud computing, and the chance of human error, will bite you in the butt. So don’t skimp on security planning before deployment nor on security validation after deployment.