On the Search for the Holy Grail of Cloud Security
Updated: Oct 18, 2020
Let me know if you agree with this point of view. I would love to know how far people have already come on this quest for the grail.
What am I talking about here?
Issue Detection vs Prevention
Many people, especially amongst consultants this seems to be a pattern, advocate for the prevention of issues by having tightly controlled environments, security checks for your application code and in your infrastructure deployment pipelines.
That makes sense, as obviously I want to make sure that I don't even have any issues, right?
Yes, but it's not realistic.
There will always be a situation where someone has to do something that slips through the net of checks and reviews, or for whatever reason (e.g. less controlled development environment) they bypass those strict controls, and then suddenly there's a security hole introduced into your cloud environment. This happens much faster than many people like to admit or understand.
I want to make clear, I'm not necessarily talking about malicious intent. It's "easy" to deploy insecure cloud systems as Mark Wolfe for example calls out in this article here.
All those preventative measures I mentioned above are important, but they are not enough.
I.E. it's good to eat healthy, work out and follow an overall healthy lifestyle, but you also need to go and do your regular health checkups to detect any other issues.
If/when there is an insecure configuration your process (shameless plug for ARGOS) must be able to detect this and notify you close to real time whether it really is an issue or just a best practice violation.
Forgetting to tag or properly name a cloud resource is a best practice issue, not a security issue.
Total Prevention is a myth
Preventative measures are needed, but so are detection capabilities.
It's nice to think that total prevention is achievable, but unfortunately it's a myth. Weekly news of yet another breach due to a cloud misconfiguration is testament to this.
At ARGOS, via the CyRise accelerator programme, we talked to dozens of Australian CISOs across many different industries, from SMB to large enterprises and a majority of them worry about the risk that cloud misconfiguration carries with it.
What do they do about it?
Most say they believe they do "prevention" as well as they can via education, peer review and similar measures, but when it comes to detection they lack the proper tools to achieve the following:
real time scanning of their cloud environments for security issues introduced by misconfigurations
insights rather than information
means "show me the N most important security issues, a missing tag is not a security issue", don't drown me in alerts
support in fixing the issue, potentially automatically (remediation)
Do YOU see other requirements that are currently not met by the industry?
Will we ever find the Grail and be able to fully prevent issues from happening?
Do you work in an environment where detection is not a focus?
Let us know on Twitter.