The Cloud is burning - brightly!

Hi Everyone,

Today I want to highlight an urgently alarming topic that we can see in the recent State of Cloud and Cyber Security reports. (especially the ones based on data)

In short, the number and severity of findings and incidents are growing like hell, the number of assets is exponentially growing, and the complexity of IT Architecture is exploding in parallel.

One report I want to highlight is the most recent one from JupiterOne "State of Cyber Assets Report 2023". (You can find references to more reports at the bottom of the article.)

In this report, you will find the following chart, showing the asset and findings growth rates:

Check the percent changes. These growth rates are ridiculous!

Also, this report demonstrated that 96.1% of security findings are linked to cloud hosts and images.

But how could we reach this state, and why did we end up here?

What happened?

The first thing that was introduced with CSPs was the complexity growth by itself, followed by some more mistakes we made in parallel.

So, let us run through the reasons in detail:

• With every CSP, we had another attack surface, a new configuration layer, another credential sync, and one additional (hopefully) role-based identity system that someone did not properly set up. (unfortunately)

Who managed the standards and the policies for these? Maybe your DevOps teams who out of a sudden are happy to be part-time security specialists?

• This brought new assets to the table, speaking of also new users and service accounts.

Who did take care of these ones? Did you have a guideline or a policy implemented?

• By moving to the Cloud, all teams were empowered to build and grow their own resources without asking central teams anymore. DevOps for the win. No one asked the teams to take care of orphaned resources properly, and all of this ended in an exponential increase of Cloud assets and misconfigurations.

Did you have a hardening guide to harden your cloud hosts or images like we have already been doing for centuries? Or did you just hope that the teams will take care of it by themselves?

• In many environments, the product teams had generous rights to manage their own "projects/subscriptions" and the included resources.

Did you provide standards or default configurations to the teams they could reuse, or did you hope that all teams would qualitatively equally be able to manage their environments without any guidance?

• Security teams got overwhelmed. Due to the lack of a proper Cloud Operating model, also incident response and security processes lacked maturity. Teams started fighting with each other instead of helping and supporting each other. The lack of clear responsibilities ended in massive vulnerability fatigue. (there are so many vulnerabilities and misconfigurations that no one will be able to fix all of them, and not many feel responsible)

How did you address Cyber Security and Cyber Resilience in the Cloud? Did you just ignore everything what you have been doing on-premises in the past decades? Did you think about incident processes and responsibilities? Who is accountable and reviewing KPIs?

• And all of this brought us here today, where we can see impressively bad and high numbers of configuration mistakes and many more of other kinds of findings in Cloud environments.

The current situation is bad.

But it does not need to be.

Managing resources in the Cloud is, in fact, technically much easier and better to handle, with almost no blind spots. There is only one simple requirement to make this statement true: you need to make use of automation and policies.

So, how can we address it?

• Organization Structure - First, we require a proper org structure which is enabling all teams, empowers reusability, and ensures compliance and basic security on a team layer. Typical topics here should be a Platform Engineering team, other "Enabling Teams," a Cloud Center of Excellence, DevSecOps, SRE, and some more. One urgently important topic will be the definition of the interfaces between the teams, their responsibilities, and if everyone has a common understanding.
• Governance - Second, you will need to define a Cloud Operating Model, which also includes the governance picture as well. Check here for a detailed article. A large topic will be the processes area.
• Standardization and Reusability - One topic which should already be included in your Governance view is standardization and reusability. Still, I want to expressively highlight this one, as there is not much need for having full-blown complexity, and we can see issues here very often. E.g., why do you allow product teams to each of them build and harden a Kubernetes cluster if you could provide a standardized template or an API for that?
• Automation & Policies - In the Cloud, you have to work with automation, as there is no way around to manage the exponential growth of Cloud assets without it. And one layer of automation is the usage of policies to ensure compliance and security by design but also to prevent mistakes. One additional one is IaC and shifting left, obviously. But that alone will not yet fix everything!
• Swarm Intelligence - And last, you will need to set up a swarm intelligence to use your central knowledge and scale it throughout the company. Your teams need to work together and need to understand that security is a shared responsibility and needs dedicated prioritization. I have written a detailed article here.

Final Words

Until here, there should be many of you who directly know (and feel) what I am speaking about. If not, it is very likely that your teams have been silently fighting and suffering these challenges, and you should have a look at the data. (if available)

To properly address this challenge, you will require top-management involvement. The reason is that you may need to modify your org structure, establish the holistic governance and the underlining operating model, grow the right culture, and reuse and share knowledge, standards, and templates. Especially the topic around swarm intelligence will rarely work in a silo-distributed approach.

Doing so will help you address this issue, grow your IT maturity, and move to higher automation and cloud-native / cloud-enabled architectures, finally providing IT Value. You will not only address security concerns and reduce your risk but also be able to operate better. (which will also save you costs)

Recap

• IT complexity is growing.
• The number of assets is increasing exponentially.
• Clouds are burning.
• Teams, especially security teams, are overwhelmed.
• This needs a holistic plan and implementation, focusing on Maturity growth.
• Automation and Policies are key, but Culture is even more important.

Let us create professional environments again and learn from the past.

Let me know your feedback! Do you think differently? Did I miss something, or are there other recommendations you would like to add to help the audience? Add your comments!

References

• State of Cyber Assets Report 2023 here
• The State of Cloud-Native Security Report 2023 - by Palo here
• 2023 Cloud Security Report by Fortinet here
• The State of Cloud Security Report 2022 - by Snyk here
• Many more State of Cloud reports can be found here

Best,

David das Neves, CEO, shiftavenue