"I hate cloud security." Part 1 of 3
April 29, 2020
"I hate cloud security."
Is this you?
I don’t think this is a particularly controversial or uncommon view of cloud security. But I do think if we try to understand why we hate it more than a Monday morning paper cut, we might learn a few things. So, come commiserate with me for a few minutes, and then we can cowboy-up together and go make our clouds safe for our developers, our clients, and our clients’ clients.
Why does cloud security deserve the hate?
Well, the cloud represents an almost perfect democratization of technology. ANYBODY can buy a cheap (or even free!) ticket to the cloud. There’s no test to pass, no skills to demonstrate, and no capital investment to make. In the cloud, everyone can be a server administrator, an app developer, a cloud native architect, or any other role they want to be. No constraints whatsoever! Sounds pretty good, maybe the ultimate version of technology freedom, right? It’s also freedom to misconfigure, freedom to expose data, and freedom to make all sorts of security mistakes and omissions. When you hand your toddler the keys to the minivan, you have to expect accidents. VMs vulnerable to compromise? Check. Data exposed to the public? You bet! Cloud-scalable data downloads for the bad guys – great!!
To make cloud services easy to buy and easy to use, and therefore popular, our favorite public cloud service providers themselves are also complicit in cloud-toddler endangerment. Cloud resources are often not secure by default, nor is it typically easy to understand what needs to be done to secure them. Proper compliance enforcement costs extra – in tools, skills, time and attention.
Guess who budgeted and planned for that?
And let’s not forget the new services being added every day. What data does the new cloud native wonder-service expose? Is it another door into your enterprise? Does it put any of its cloud service brethren at additional risk? Most importantly, how do we hope to secure it if we don’t even know it exists? Ultimately, security in the cloud is difficult, hard to explain, often unplanned, and it’s not going to get simpler anytime soon.
Okay, enough hate for one post. Let’s talk about the steps to take so your cloud security efforts can be a little less painful.
Part 1 of 3 – Knowing Your Estate
It’s important to know your entire estate. Cloud provisioning is extremely frictionless, so anyone can do it with a credit card. It’s no good securing 95% of your EC2 instances – you need to know them all.
I discuss Steps 2: Measuring Your Compliance, and Step 3: Cleaning Up to Prevent in upcoming posts ... stay tuned!