The Capital One breach last year was significant on multiple fronts. A trusted financial services brand on a leading cloud IaaS environment was easily breached, to the tune of 10M records compromised. I discovered Cloudneeti in January after I heard about their ability to enable DevSecOps operating models. I asked CEO and cloud veteran Gururaj Pandurangi for his thoughts on the breach:
Q) Last year’s Capital One breach exposed a massive trove of sensitive data. How could one of the world’s most trusted financial service companies operating on one of the most secure cloud infrastructures get breached to such an extent?[Gururaj] The Capital One breach was a combination of missteps. The most significant factor was a former AWS employee who knew how to abuse AWS privileges and some misconfigurations. There were some minor IaaS issues, and I’ve heard that the provider has promised to fix them. It should be noted that almost every major company will face a combination of these elements in some shape or form. Misconfigurations combined with Insider threats are clearly the biggest risk. The lesson from these types of breaches is that enforcement, similarly, needs to evolve. Part of this is also a cultural issue and how tradeoffs between the need for speed and complex security/compliance policies and frameworks are resolved.
Q) Why are cloud security and compliance postures and frameworks so difficult to maintain, given the massive investments IaaS leaders have made in security?[Gururaj] The cloud is allowing dev teams to accelerate their development cycles beyond anything possible for most traditional premise environments. Changes can be made faster than ever. New apps, new business units, increasing frequency of releases and new cloud features have all contributed to an increase in the pace of change. And the policies and frameworks themselves have hundreds if not thousands of configuration requirements. So higher rates of change, the very nature of cloud workloads operating in shared environments that are easily exposed to the Internet combined with complex requirements, have substantially increased risk, even for companies investing heavily in best practices. We’ve seen scans of very well-run environments and the compliance framework scores were well under what was expected. Things had changed faster than their teams realized.
Q) What kinds of tools do cyber criminals use to exploit configuration errors and how commonplace are they? What levels of skills do they require?[Gururaj] The good news is that the evolution of IaaS and PaaS, serverless, databases in the cloud are forcing cyber criminals to evolve, since their old tools aren’t as effective against these new environments. The cloud providers have made significant investments in OS and network enhancements, which have closed some of the frequent entry points. Today cyber criminals need to become cloud experts. And to some extent the increasing pace of change also makes many of their traditional tools obsolete.
Even more important are the SaaS tools emerging to help protect these more dynamic environments. For example, an entire new class of cloud security posture management (CSPM) solutions has emerged to automate compliance and security enforcement. Some are built for traditional SOC environments and others, like Cloudneeti, for DevSecOps models. Dev and security teams can operate at almost the same pace today, without the types of conflicts and tradeoffs required by traditional manual processes.
Thank you Gururaj! You can sign up for a 30 day free trial on Azure at www.cloudneeticom. In minutes you can discover how well your cloud environment scores against more than a 1500 security polices and 13 compliance frameworks.
Is your company addressing the growing gaps between digitalized, dynamic infrastructures (cloud, SDN, SD-WAN, etc) and outdated cultures and tools? Contact me and I may ask your CEO three questions.
*** This is a Security Bloggers Network syndicated blog from ARCHIMEDIUS authored by Greg Ness. Read the original post at: http://feedproxy.google.com/~r/Archimedius/~3/XCW3bFqfiV8/