Securing the Cloud #21

Introduction to the 21st Edition of Securing the Cloud Newsletter

Welcome to the 21st edition of the Securing the Cloud Newsletter, your trusted source for insights and guidance in the realm of cloud security. In this edition, we delve into the critical issue of Configuration Drift, a common challenge that can undermine the security and efficiency of your cloud environment if left unchecked. Additionally, we address a topic of universal relevance: the importance of steering clear of shortcuts in your professional journey. While the path to success may be fraught with temptations to cut corners, we outline why steadfastness and integrity are paramount in your career progression. Lastly, we talk about a scientific approach to learning, particularly in certifications and continuous skill development. Join us as we explore these three areas — Cloud Security Best Practices and Tips, Career Advice, and Learning and Certification Tips—to bolster your knowledge, skills, and career in cloud security.

Cloud Security Best Practices and Tips

This week I had the pleasure of delivering a session for some internal training at AWS. The session was called Developer Mindset: Embracing GitOps for Network Security and Compliance. As you know, we've been talking about GitOps for several weeks now. Configuration Drift is on the problems we discuss. What is configuration drift? Why is configuration drift a problem? How does embracing GitOps solve the configuration drift problem? Let's explore the answers to these questions.

What is configuration drift?

Configuration drift refers to the phenomenon where the actual state of a system's configuration diverges over time from its intended or documented state. This can occur due to various factors, including manual changes not tracked or documented, automated processes that alter configurations without record, or differences in environment settings between development, testing, and production. This drift leads to environments that are no longer consistent, undermining the predictability and reliability of infrastructure and applications.

Why is configuration drift a problem?

Configuration drift poses several significant issues:

1. Increases Security Risks: Untracked changes can open up vulnerabilities in the system. Deviations from the intended security model increase the exposure of the system to potential breaches or attacks, as these alterations might bypass established security controls or introduce new weaknesses.

2. Complicates Compliance: It becomes challenging to prove compliance with regulatory standards when the actual environment does not match the documented configurations. This misalignment can lead to legal and financial penalties for failing to adhere to industry regulations and standards.

3. Hampers Troubleshooting and Recovery: If the current state of the environment is unknown, diagnosing problems becomes more difficult. Disaster recovery efforts may be based on outdated information, leading to longer recovery times and potential failure to restore services to their proper state.

4. Leads to Inefficiencies: Resources are wasted troubleshooting or applying redundant configurations due to the unclear state of the environment. This results in inefficient use of time and effort, diverting attention from more productive tasks.

5. Affects Reliability and Performance: The unpredictability introduced by drift can impact service reliability and application performance, leading to system outages or degraded user experiences. These inconsistencies can undermine the stability of the entire system.

How does embracing GitOps solve the configuration drift problem?

GitOps is a set of practices that uses Git as a single source of truth for declarative infrastructure and applications. By embracing GitOps, organizations can address configuration drift in several ways:

1. Automated Synchronization: GitOps tools automatically apply the desired state from the Git repository to the environment. This continuous reconciliation ensures that the actual state is always aligned with the intended state documented in Git, thus preventing drift.

2. Version Control and Auditing: Changes to the infrastructure are made through Git commits, which means every change is versioned, tracked, and auditable. This makes it easier to roll back changes, understand the history of modifications, and maintain compliance with regulatory standards.

3. Consistency Across Environments: By using the same Git repository as the source for all environments (development, testing, production), GitOps ensures consistency across the entire deployment pipeline. This reduces the likelihood of errors due to environment discrepancies and ensures that security and compliance configurations are uniformly applied.

4. Improved Security and Compliance: With GitOps, all changes are reviewed through merge requests, enhancing security posture and compliance by ensuring that every change is examined, documented, and approved before implementation.

5. Streamlined Troubleshooting and Recovery: Since the desired state is stored in Git, it's easier to diagnose issues and recover from incidents. The environment can quickly be restored to a known good state, reducing downtime and mitigating the impact of drift.

So with all that in mind, what can you use in AWS to manage configuration drift? Let's assume we are using Terraform. In the build stage, you use AWS CodeBuild to execute your tests, and this would be a good place for drift detection to be done. First, the Terraform plan should show any drift from your desired state. However, you could also use Driftctl.

Using Driftctl

Driftctl compares your Terraform state files against the actual cloud environment configurations, aiding in identifying discrepancies caused by external modifications or overlooked changes. It's tailored for AWS but is expanding to support other cloud providers. This tool seamlessly integrates into your existing DevOps pipeline, providing a layer of visibility crucial for maintaining the integrity and security of your infrastructure.

Configuring driftctl within your AWS pipeline involves incorporating it into your CI/CD process, typically after your Terraform plan or apply steps. For example, after deploying changes via Terraform, you can add a driftctl scan step in your AWS CodeBuild project to assess and report any drift from your intended infrastructure state. Here’s a simplistic approach:

phases:
  install:
    commands:
      - wget https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_linux_amd64
      - chmod +x driftctl_linux_amd64 && mv driftctl_linux_amd64 /usr/local/bin/driftctl
  build:
    commands:
      - terraform init && terraform plan
      - driftctl scan --from tfstate://path/to/your/terraform.tfstate
        

Pros of incorporating driftctl include enhanced visibility into infrastructure state, detection of unmanaged resources, and support for multiple Terraform state files, contributing significantly to governance, risk management, and compliance efforts. However, the tool does have its limitations: it may exhibit longer scan times in deep mode, encounter API throttling due to extensive cloud provider API calls, and currently supports a limited subset of Terraform resources. Nonetheless, driftctl offers a promising solution for teams aiming to bolster their cloud infrastructure's reliability and security. I recommend trying it for yourself and seeing how it works in your specific environment.

For detailed configuration and advanced options, refer to the [official driftctl documentation](https://docs.driftctl.com/).

Career Advice

Switching gears from the nuts and bolts of cloud security, let’s talk about a different kind of best practice – the ones that apply to your career. It’s tempting, right? Finding those little loopholes, those shortcuts that seem like they’re going to jet-propel our careers forward. But here's the thing: they don't work. Not in the long run. Let's talk real talk – about why cutting corners isn't just bad form, it's career sabotage.

Now, a story from back in the day at GTE. There was this guy I worked with – let's call him John. John figured out that if he got certified, he’d get a bonus and maybe even a raise. But instead of hitting the books, he took a wild shortcut. He’d sneak in late, lift certifications right off other folks’ desks, scan them, and slap his name on them. Talk about guts, right? He went from a CCNA to a CCNP, then claimed he was a CCIE – all in two months. Sounds fishy? Absolutely.

But here’s where it gets good: One of our real CCIEs caught him in a chat. Asked him if he'd struggled with OSPF TCP issues in the lab – a trick question because OSPF doesn’t use TCP. And John? He bit – said yeah, he’d had a tough time but got through it. That was the red flag. It didn’t take long for the whole scam to unravel after that. Turned out, he didn’t just have fake Cisco certs; he was stockpiling other people's degrees too. Long story short, John got the boot.

This isn’t just about not cheating or lying – it’s about the long game. Shortcuts might look shiny, but they’re mirages. They vanish when reality hits. And in tech, just like in life, reality always has a way of catching up. So, let's build careers on what's real: hard work, real skills, and, yeah, real certifications earned the right way. It’s slower, sure, but it’s solid ground. And in this industry, that’s what keeps you standing when the winds pick up.

Learning and Certification Tips

In this month's newsletter, I want to share some effective strategies for cloud certification studies, inspired by the renowned book Make It Stick: The Science of Successful Learning by Peter C. Brown. To enhance your learning, engage actively with the material through regular self-testing and utilize spaced repetition to improve long-term retention. Combine different study topics in each session and try to explain concepts in your own words to deepen your understanding. Incorporate practical examples into your study to bridge the gap between theory and practice, and don't forget to reflect regularly on your progress and adjust your methods accordingly.

Most importantly, embrace the difficulties you encounter during your studies. Making mistakes is a crucial part of the learning process, as it provides valuable feedback and aids in cementing your understanding of complex subjects. Correcting these mistakes not only strengthens memory but also leads to a deeper grasp of cloud computing concepts. These strategies, grounded in scientific research, will not only prepare you for your certification exams but also enhance your overall learning experience. For further insights into effective learning techniques, I highly recommend adding Make It Stick: The Science of Successful Learning to your reading list.

Conclusion

In conclusion, this 21st edition of the Securing the Cloud Newsletter has taken us on a comprehensive journey through the critical aspects of cloud security, career development, and effective learning strategies. We started by delving into the pervasive issue of Configuration Drift, highlighting its consequences and providing solutions through the adoption of GitOps principles. Through real-world examples and practical advice, we've seen how tools like Driftctl can be instrumental in maintaining the integrity and security of cloud infrastructures.

In our career advice section, we underscored the dangers of taking shortcuts and the importance of building a career founded on integrity, hard work, and genuine skill development. The cautionary tale of John serves as a stark reminder that while the path of least resistance may seem appealing, it ultimately leads to professional and ethical downfall.

Lastly, we discussed effective learning and certification strategies, emphasizing the value of active engagement with study materials, embracing challenges, and the continuous pursuit of knowledge. By adopting these strategies, you can enhance your understanding, retention, and application of cloud security principles, thereby advancing your career and contributing to a safer cloud ecosystem.

Thank you for joining us for this edition. We hope the insights provided will inspire you to adopt best practices in cloud security, pursue your professional development with honesty and dedication, and approach your studies with a scientifically backed methodology. Remember, the journey to securing the cloud is ongoing, and your commitment to growth and learning is key to navigating it successfully. We look forward to continuing this journey with you in our future editions. Happy Labbing!