Security teams face new challenges when working in the cloud. Sync's VP and chief architect Josh Stella discusses how enterprises can use policy as code in order to scale up and improve cloud security in a complex environment rife with threat actors and rapid tech evolution.
Hackers have developed new tactics to adapt their strategies to the cloud's threat surface. It is crucial to fully understand the unique cloud environment of your organization and the threats it faces before you take any steps such as implementing new security products, or creating new security policies and procedures.
A New Security Threat Landscape
Before cloud computing, when on-premises data centers were king, there was clear separation of roles in enterprise IT. Developers created software applications, infrastructure teams provided the physical infrastructure, and security was responsible for certifying that everything was secure.
This old model was expensive and time-consuming. It required a complex budget process, large teams, months to create and secure complex networks. This model also created a lot more friction because security felt it was necessary to restrict developers' work and users’ behavior. They delayed deployments to validate security, and often interrupted the software development cycle to conduct security checks.
Although the cloud eliminates many of these tedious processes, it does come with a trade-off. A new security paradigm is created where developers are not responsible for the security of the environment in which they work. That's a good thing.
Because cloud infrastructure is software-defined, developers have full control over it. Developers can build the cloud infrastructure while they are also building the applications. This allows them to work independently and in their own time.
Cloud engineers and software developers use infrastructure as code (IaC), to create and modify cloud environments, and even set security-critical resource configurations. To create, update, destroy, or modify virtual machine instances, networks, or data stores, they use the cloud provider's application programming interfaces (APIs). Each time they make a change they increase the chance of creating a misconfiguration for bad actors.
All major cloud breaches have one thing in common: the attackers succeeded in their attempts to compromise the control plane of the cloud provider. This is the API surface that developers use to set up and operate their cloud environments. An attacker can gain access to the resource API keys to attack the control plane.
Cloud breaches are caused by attackers exploiting design flaws. Cloud security requires that you gain and apply knowledge about how to effectively mitigate these flaws.
Attackers are A Step Ahead
Here is a description of a successful cloud attack. An attacker using automation tools scans the internet searching for vulnerabilities to exploit. This could be cloud misconfigurations or app vulnerabilities. They get a "shopping list" of targets from which to choose. An attacker used to choose their target, then go on a relentless search for vulnerabilities to exploit. A vulnerability in the cloud can make an attacker a target.
Traditional security tools are not sufficient to protect the cloud, as cloud exploits rarely traverse traditional networks security teams can monitor with network monitoring and intrusion detection tools.
Security is often focused on finding resource misconfigurations that attackers could exploit to gain access to an environment. This means that they must get it right 100% of the time. Attackers only need to be lucky once. They will, so teams must ask "What happens if they get slipped through?"
Security’s Changing Role
It is impossible to fix all the misconfigurations in an enterprise's cloud environment. Cloud security teams have made it a priority to fix misconfigurations in enterprise cloud environments. However, attackers can also use them to compromise control.
Forward-thinking companies embrace DevSecOps and empower developers to secure applications and infrastructure before deployment. A security team should begin to arm themselves with policy as code (PaC) before they can move on. It allows developers to use programming languages in order to create compliance and security rules that enable applications to verify configurations throughout the software development cycle (SDLC).
A Cloud Security Imperative
PAC also eliminates ambiguity, disagreements, and translations. It unites all stakeholders under one source of truth about cloud security policy. This allows everyone to move faster and more securely. Security teams can share their knowledge with the rest of the company and ensure that policies are applied consistently, enforced, and reported on.
Open Source PAC Offers Many Benefits
PAC allows the security vendor as well as the customer to create whatever they need over time just like any other code-writing process. Open-source PaC options can be used to address cloud security needs today and can be integrated into existing security products and toolchains.
Security solution vendors love to lock you in their ecosystems. They do this by requiring that all code that you write must use their PaC languages (although that's not always true PaC). Even if you are unhappy with them, it's unlikely that you will leave. All your work was written in a language that is not compatible with their solutions.
Accept the opposite mindset. A code that is valuable to you and not your vendors should be written. Your PaC should not be a boat anchor that binds you to a vendor. This is why it is so important to use an open-source platform.
Developers are often in the best position (and most times the only ones) to protect their code before deployment, keep it secure while running and understand where to fix the code. They are also humans and can make mistakes. Developers work in an environment of constant experimentation. PaC reduces human error significantly by automating the process of finding and catching errors before they become dangerous.