To err is human, and that’s what hackers rely on

It’s understandable that you’ve made fighting ransomware your top cybersecurity priority for 2022. The number of successful ransomware attacks, which encrypt computers until victims pay attackers to unlock their data , increased last year. Ransomware payments reported by banks and other financial institutions (PDF) totaled $590 million for the first six months of 2021, surpassing $416 million for all of 2020.

When it comes to protecting your data center and endpoints (e.g. laptops and employee mobile devices), ransomware should be a priority. But when securing your cloud environments, don’t worry about ransomware, just misconfigurations that lead to devastating data breaches.

It’s a lesson companies like Twitch have learned the hard way in 2021. In the last year alone, 36% of companies have experienced a serious cloud security leak or breach due to misconfiguration of the cloud. cloud, according to the 2021 State of Cloud Security Report. Gartner expects that by 2023, at least 99% of cloud security failures will be customer fault, primarily in the form of misconfiguration of cloud resources.

These startling statistics should raise a few questions in the minds of all business leaders and security professionals: “What is misconfiguration of cloud resources?” and “How do we identify and eliminate misconfigurations?”

A new security paradigm

First, it’s essential to understand how cloud infrastructure is different from the data center. Developers and engineers build their own cloud infrastructure when they need it without requiring help from the data center team. They can continuously make and modify their own infrastructure decisions, including security-critical configurations. Every change creates the risk of a misconfiguration being left open to attack.

Cloud computing is driven by application programming interfaces (APIs) – the software “middlemen” that allow different applications to interact with each other. This eliminates the need for a fixed IT architecture in a centralized data center. It also means that you cannot apply the data center security model of creating an outward-facing barrier around the network perimeter to identify and block incoming attacks.

The control plane is the API surface that configures and operates the cloud. For example, you can use the control plane to create a container, modify a network route, and access data from databases or database snapshots (which are actually more popular among hackers than breaking into databases). live production data). Simply put, the API control plane is the (ever-growing) collection of APIs used to configure and operate the cloud.

Why the cloud can be immune to ransomware

The qualities that make cloud infrastructure so different from the on-premises data center are also what make it virtually impossible for hackers to launch successful ransomware attacks against your cloud systems.

The purpose of using ransomware is not to steal your data; this is to prevent you from accessing it until you pay the attacker. The cloud is built to extremely high standards to ensure that data is not corrupted and to ensure that data is accessible. The priority for all cloud platform providers like Amazon, Google and Microsoft is to ensure that your data is robust and resilient.

For example, Amazon Web Services’ S3 data storage service offers “11 9s” (99.999999999%) of reliability. Amazon stores your data in multiple physical data centers to provide redundancy. Your data remains easily accessible even if one or more Amazon sites go down. Creating that many copies negates the ransomware attacker’s ability to prevent you from accessing your data.

But in your data center, your resiliency and redundancy are probably much lower because it’s extremely expensive to try to replicate what cloud providers are offering by building private networks and multiple data centers.

That’s why cloud security is a function of design and architecture, not monitoring and intrusion detection. By the time you have detected something, the damage has long been done. One hundred percent of the time hackers attempt to find and exploit misconfigurations in order to gain access to control plane APIs.

Minor and Major configuration errors

Misconfiguration is anything that proves ineffective in stopping a hacker. These vary from individual misconfigurations, including small, simple things like leaving a dangerous port open or not patching a server, to major architectural issues.

Usually when you see large blast radius attacks like the 2021 Twitch breach that went through source code, trade secrets, and user data, the cause wasn’t just one thing was misconfigured. The system architecture design was deeply flawed, which is also considered a misconfiguration. That’s what another name for a bad setup is – naive or bad design.

The bad news: I guarantee your organization has both types of misconfigurations in your cloud environments. The good news: they are all 100% preventable.

The more you know

If you really want to know what’s going on with your cloud security posture, pay close attention to the news. Whenever you see reports of a new breach, ask your security team to prove that your cloud environments are not vulnerable to this type of breach.

Consider the breach suffered by Uber in 2016 after attackers discovered long-lived API keys residing in GitHub repositories. After this news broke, you would have asked for assurances that no API key – not one – older than a month is of potential value to hackers. If the security team can’t provide this, you’re vulnerable to an Uber-like breach.

This requires more than just going through checklists provided by your security solution providers. Checklists are reassuring. People like to tick boxes. But too often, this does little more than breed overconfidence among security personnel. And the checklist of things to look at to make sure there are no misconfigurations in your cloud resources would be very, very long.

Ninety percent of hacking is discovery, and over 90% of defense is knowledge. To gain knowledge, you must understand the threats. The only strategic way to do this is to use Policy as Code.

Policy as Code

When developers build apps in the cloud, they also build the app infrastructure instead of buying a stack of infrastructure and putting apps on it. The process of creating a cloud infrastructure is done with code, which means that developers own this process, which fundamentally changes the role of the security team.

In a world entirely defined by software, the role of security is that of the domain expert who imparts knowledge to the people who build things – the developers – to ensure that they are working in a secure environment. You can do this by using Policy as Code, which allows your team to express security and compliance policies in a programming language that an application can use to verify the correctness of configurations.

Policy as Code is designed to check other code and runtimes for unwanted conditions or things that shouldn’t be. It enables all cloud stakeholders to operate securely without any ambiguity or disagreement about what the rules are and how they should be applied at both ends of the software development lifecycle (SDLC).

Automate the correction of configuration errors

At the same time, Policy as Code automates the process of constantly finding and fixing misconfigurations. There are no other approaches that, in the long run, succeed at this because the problem space keeps growing. The number of cloud services keeps growing, the number of deployments you have and the amount of resources keep growing. And so you need to automate to save security professionals from spending their days manually monitoring misconfigurations and allow developers to write code in a flexible way that can be changed over time and can integrate new insights, such as the latest big data breach that made headlines.

To have a holistic answer, an answer that actually works and isn’t just a theater of security, you need to use Policy as Code during the development phase, in the continuous integration/delivery (CI/CD) pipeline. and in the runtime. And as you mature, these elements can then be institutionalized and integrated into your processes so that everything is automated.

What does success look like

Organizations that have effective cloud security programs in place share some characteristics that any business can emulate to strengthen their cloud security postures.

First, they deploy automated tools to gain constant situational awareness of what is happening in the cloud. After all, hackers also use automation so they can quickly find and identify misconfigurations. The company that still relies on manual processes and checklists gives the bad guys a significant advantage. Knowing the environment is key to securing cloud infrastructure.

Second, they prioritize prevention over passive monitoring and responding to possible intrusions and other suspicious activity. Today’s hacks are too fast and too hard to notice as they happen.

They also engage developers and engineers — the people who actually build these apps and systems — in the process by giving them tools, specifically, Policy as Code.

Finally, successful organizations quantify their ability to prevent hacks that may occur and use this data to improve their processes.

Architecting for Security: How Naïve Design Invites Cloud Breaches

In the short video below, I explain why knowing the configuration status of your cloud environment is the first step to preventing a breach. It starts with understanding how hackers exploit design flaws in your cloud architecture and how to fix them.

image credit: Frank-Peters/

Josh Stella is CEO of Fugue.

Previous Dark Souls 3 exploit could allow hackers to take over your entire computer
Next LittleBITS: iCloud delivery issues, Naples MUG, Howard Oakley