Cloud computing represents the most profound IT shift in decades, helping organizations across industries to transform every aspect of how they do business. But the cloud turned security on its head, creating entire new categories of risks and challenges that are straining security teams beyond their capacity. Organizations face a hard choice: Slow the pace of innovation in an increasingly competitive environment to allow security teams to keep up, or hire more security engineers at a time of bidding wars that are driving their annual compensation into the stratosphere.
Security has become the primary rate-limiting factor for how fast teams can go in the cloud and how agile and efficient organizations can become. Manual security reviews and approval processes slow down the delivery of the cloud infrastructure that application teams need, and valuable engineering resources are being soaked up managing the sheer volume of cloud misconfiguration vulnerabilities that need to be reviewed, prioritized, and remediated.
But the nature of the cloud itself provides another approach to address cloud security — without the usual trade-offs. In this post, we’ll explore why cloud security automation that’s built on Open Policy Agent (OPA) — the open source standard for policy as code — can achieve what traditional security approaches cannot. And we’ll explore some examples of how OPA-based solutions such as Fugue can be applied to secure the entire development lifecycle for cloud infrastructure in a holistic way.
Why is it so hard to keep the cloud secure?
Cloud infrastructure is very different from data center infrastructure. How we build and manage cloud infrastructure is different. The attack surface is different. And the way hackers operate is different.
Cloud misconfiguration vulnerabilities represent the number one cause of cloud-based data leaks and breaches. According to Gartner, nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and mistakes. When we take a moment to better understand the nature of cloud misconfiguration risk, it becomes clear why cloud security built on an open source policy as code standard like OPA is essential to address the challenge — without trading away speed or efficiency.
In the data center, things changed slowly and in a highly controlled way. In the cloud, change is the only constant. In the cloud, developers are building their own infrastructure, rather than waiting around for a data center team to provide it to them. That means developers are making their own infrastructure decisions — including security-critical configurations — and then changing them constantly. Every change brings risk, so even if infrastructure is secure today, it may not be tomorrow.
In the cloud, what is changing is also different. The data center infrastructure stack is much simpler, composed primarily of a network, servers, and storage. The cloud infrastructure stack includes virtualized versions of those things, plus a lot more things besides. There are identity and access management services (e.g., AWS IAM), serverless platforms (e.g., Azure Functions), containers (Docker), and container orchestration systems (Kubernetes). Amazon Web Services alone has introduced hundreds of new kinds of cloud resources in the past decade, and they all have their own configuration attributes and security considerations.
There are also far more resources in a scaled-out cloud environment than in a traditional data center. It’s not uncommon for an enterprise-level organization to have hundreds of thousands of cloud resources spanning hundreds of different accounts. If that organization is operating in a multicloud environment, whether by choice or happenstance, the complexity is compounded because the infrastructure services each cloud offers vary considerably when it comes to configuration and security.
Compliance has always played a role in ensuring security policies are followed, but the cloud has broken the traditional compliance model. Most organizations using the cloud must adhere to industry compliance controls, such as HIPAA for healthcare data, PCI for financial services data, and SOC 2 for processing customer data in the cloud. But these controls are written in human — and often vague — language that can be difficult to apply to cloud use cases. And there are far too many rules for any individual to be expected to remember.
All of this complexity, dynamism, and scale results in cloud misconfiguration mistakes happening all day, every day. The State of Cloud Security 2021 Report, which surveyed 300 cloud engineers, found that half of teams operating large, regulated cloud environments are experiencing more than 50 misconfigurations per day. The traditional tool for detecting these cloud runtime vulnerabilities is cloud security posture management (CSPM), and the teams surveyed are investing more than a full-time equivalent engineer in managing the problem. It’s essentially a game of whack-a-mole.
And this game is serious. Malicious hackers have changed how they attack cloud environments to steal data and do other damage. The attack pattern of picking a target and searching for vulnerabilities to exploit has been flipped on its head. Now, hackers use automation tools to scan the entire internet searching for cloud misconfigurations to exploit. Deploying such a vulnerability can effectively put a target on your organization’s back.
|
Traditional Attack Strategy |
Cloud Attack Strategy |
|
Step One: Pick your target |
Step One: Search for vulnerabilities |
|
Step Two: Search for vulnerabilities |
Step Two: Pick your target |
How infrastructure as code and policy as code change cloud security
The game is changing for cloud defenders though. Security teams are no longer stuck simply monitoring the cloud runtime for vulnerabilities. They can work directly with cloud engineering and devops teams to shift cloud security left and prevent these vulnerabilities before they ever reach the runtime.
With the adoption of automated CI/CD deployment pipelines and infrastructure as code (IaC), which engineers use to define cloud resource configurations and relationships, we can now prevent misconfigurations automatically before they ever reach the runtime. Beyond the obvious security benefits, securing IaC in development and guarding against misconfiguration deployment brings significant gains in terms of cost and speed.
FugueBut in order to check IaC for security issues automatically without time-consuming and error-prone manual reviews, we need policy as code. Just like programming languages express logical functions as code, and IaC expresses configurations as code, policy as code allows you to express your required security policies as code. There’s no room for misinterpretation and misunderstandings.
With any “shift left” approach to security, you’re talking about developer-friendly tools that help development teams correct mistakes early in the software development lifecycle (SDLC). Software engineers prefer open source languages over proprietary ones, which are usually limited and more difficult to work with. And you want to be able to use the same policies at any point in the SDLC — from infrastructure as code checks to CI/CD guardrails to runtime monitoring — so developers, devops, and security and compliance teams are all operating from the same rulebook.
Open Policy Agent is a popular open source policy engine that’s extremely powerful and flexible. Organizations like Goldman Sachs, Netflix, and Pinterest are all big users of OPA, and Fugue uses OPA extensively to power policy-based security automation for cloud environments and IaC. OPA is supported by the Cloud Native Computing Foundation (CNCF) and enjoys a robust tooling ecosystem and active community. And it’s easier to find and retain engineers that know OPA. When considering a policy-as-code framework, it’s a good idea to start with OPA.
FuguePolicy-as-code checks for different stages of the SDLC
Fugue has been actively involved in the OPA project and developed the open source Regula tool that makes it easier to use OPA for checking Terraform and AWS CloudFormation IaC. And Fugue IaC enables teams to use the same rules for both pre-deployment IaC checks and runtime monitoring.
The net impact of approaching cloud security holistically using automated policy-as-code checks across the development lifecycle is that your application teams will deploy features and functionality to customers faster because cloud infrastructure teams will deliver the secure infrastructure to the application teams faster. Security and compliance teams will be able to shift focus to vulnerabilities that can’t be automated away as easily as cloud misconfiguration can. You will have raised the bar on attackers — and likely kept off their radar by avoiding misconfigurations.
Josh Stella is co-founder and CEO of Fugue and a technical authority on cloud security for highly regulated enterprises with customers like AT&T, Red Ventures, and SAP NS2. Bringing 25 years of expertise as a technology startup CTO, principal solutions architect at Amazon Web Services, and advisor to intelligence agencies, Josh founded Fugue and pioneered the use of policy-based cloud security automation to help enterprises run faster and safer in the cloud. He is a cloud technology patent holder, book author, and host of the Cloud Security Masterclass Series. Connect with Josh on LinkedIn and via Fugue.
—
New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.