Cloud Misconfigurations Are Not Cloud Vulnerabilities. Stop Treating Them That Way.

Originally published by Secberus.

Written by Fausto Lendeborg.

As organizations increasingly move data to the cloud, they face some rather big security challenges. We all realize whenever we migrate data to the cloud, adding additional data sources or creating new cloud applications, there is risk. Two of the most common security risks are cloud workload misconfiguration and cloud application vulnerabilities.

It’s imperative to understand that misconfigurations and vulnerabilities are two distinct risks. And they have unique needs when it comes to remediation.

Cloud Workload Misconfigurations

Cloud workload misconfiguration refers to errors in the way cloud workloads, such as virtual machines, containers, and applications, are configured and managed in a cloud environment. Misconfigurations can occur at various levels, from network and storage configurations to access controls and authentication mechanisms. Cloud workload misconfigurations can occur due to a variety of reasons, including human error, miscommunication between teams, lack of expertise, and reliance on default settings.

A common example of a cloud workload misconfiguration would be if a DevOps engineer is creating a new application utilizing AWS resources. He or she spins an EC2 instance and puts it behind a VPC firewall and then stores the data in a DynamoDB, an AWS database resource. Every resource is a chance for misconfiguration: the database could be public; there could be open API access to the server, or a port to a firewall that is not allowed.

Let’s say one, or all three, of these misconfigurations become a reality. In order to address them you need both DevOps and Cloud Security Engineers/Architects. DevOps are responsible for the day-to-day monitoring and remediation of risk. Cloud Security Engineers/Architects are responsible for the overall expertise, guidance and implementation of a proactive, business-first risk strategy (i.e. a policy-first approach).

Organizations typically rely on DevOps teams to manage and maintain cloud workloads. DevOps teams use various tools and techniques to automate the deployment and configuration of cloud workloads, such as Infrastructure as Code (IaC). IaC allows DevOps teams to define and deploy cloud resources programmatically. IaC, as well as any cloud apps, need continuous adaptable monitoring and testing to detect and remediate any misconfigurations that may arise. Ideally, DevOps benefit from a continuous monitoring and detection assessment (also known as CARTA) already integrated into the security best practices by Cloud Security Engineers.

Cloud Security Engineers/Architects have the responsibility of addressing cloud workload misconfiguration risks by providing guidance, expertise and implementation of security best practices that are most relevant to the business and, hopefully, have the ability to scale across business units, cloud environments and DevOps teams. One of the biggest responsibilities for this role includes reviewing configurations and policies, as well as conducting security assessments and audits.

Cloud Application Vulnerabilities

The other big challenge with security when moving to the cloud are cloud application vulnerabilities. These refer to weaknesses or flaws in cloud applications that can be exploited by attackers to compromise the confidentiality, integrity, and availability of data and systems. These vulnerabilities can be introduced at various stages of the software development lifecycle, such as design, coding, testing, and deployment.

To address cloud application vulnerability risks, organizations typically rely on Security Engineers/Architects and application development teams. Again, security engineers are responsible for identifying and assessing security risks and vulnerabilities in an organization’s systems and applications, and developing a plan to remediate them. Application development teams are responsible for designing, coding, testing, and deploying cloud applications that are secure and free from vulnerabilities. In other words, Security Engineers ideally enable Application Developers to move with confidence and speed. A tall task.

Working with confidence takes collaboration and trust. Yes, Cloud Security Architects need to work closely with application development teams to provide guidance and expertise on security best practices, review code and architecture, and conduct security assessments and audits. They may also work with cloud service providers to ensure that the underlying infrastructure and platform are secure and compliant with security standards. And that’s a good start.

While the remediation process for these two risks may be different, an organization’s cloud security strategy should come from the Cloud Security Engineers/Architects. And it should reflect a business-first, policy-first approach. Also collaboration, trust and empowerment should be at the core of any security practice. It is crucial for organizations to help all teams work together to maintain a secure and compliant cloud environment. By doing so, organizations can protect their cloud-based assets and maintain the trust of their customers and stakeholders.