Cloud Security for Developers, Part 1
In recent years, the responsibility for deploying networks, operating systems, IAM, and so on has shifted from its traditional home with Information Technology and Security teams into the hands of those writing and deploying applications. Increasingly, software developers and engineers find themselves on the front lines, making crucial security decisions. Those decisions may result in an even more secure environment with proper automated governance to prevent misconfigurations…or they may contribute to the next big data breach.
Cloud deployments have been the source of many data leaks in the past few years. As SC Media stated in August 2020:
“Misconfigured storage services in 93 percent of cloud deployments have contributed to more than 200 breaches over the past two years, exposing more than 30 billion records, according to a report from Accurics, which predicted that cloud breaches are likely to increase in both velocity and scale.”
Why is this happening? There are two main factors, both tied to cloud adoption and the upending of certain traditional operating models.
First, shifting roles and responsibilities have placed security decisions into the hands of people who may not be trained in cybersecurity. Second, the overall governance that existed on-premises is often lacking in cloud environments.
What is governance? Basically, it’s the methods and processes an organization leverages to ensure people follow company rules and policies. Those rules and policies exist to minimize risks to business’s profitability, such as costs associated with a data breach.
Governance also ensures the company is abiding by regulations that apply to the organization. Failure to comply with legal requirements related to sensitive data and cybersecurity control implementations may result in fines and business losses.
The basics of cybersecurity risk
The objective of my recent book, Cybersecurity for Executives in the Age of Cloud, was to convey fundamental cybersecurity concepts to executives to help them make better security decisions. At the executive level, cybersecurity objectives aren’t about specific technical implementations, network packets, cloud configurations, or analysis of security events. The goal is to minimize the overall risk faced by an organization.
Cybersecurity risk reduction involves setting appropriate policies in order to prevent breaches and ensure regulatory compliance. Then, executives need to ensure the organization as a whole follows the rules by measuring who is and is not adhering to those policies. A basic understanding of cybersecurity helps create and monitor policies effectively.
Some basic principles drive cybersecurity risk at the highest level. It’s less about the technical details of implementing security controls, and more about understanding statistics and the root causes of data breaches.
An actuary at an insurance firm may not be an expert in every domain for which he or she sets insurance prices. However, by looking at the factors that drive risk, one can determine the potential for an adverse event to occur.
If the factors typically associated with the incident exist, chances are the event may happen. Organizations can mitigate risk by measuring and reducing the factors most often associated with data breaches.
Managing and reducing risk
Business requirements that specify risk reduction targets should drive the implementation of cybersecurity controls. That’s the premise of my book, which presents 20 questions executives can ask security teams to understand what cybersecurity risks exist in an organization. However, the questions are not quite that simple, as I explain and delve into some details related to each one and how to measure it. As you drill down, it becomes more complex and nuanced.
Many small factors drive the big picture metrics that organizations can use to quantify cybersecurity risk. In addition, individual risks add up to what I call cumulative risk. While single factors may not dramatically increase risk, the items as a whole may significantly increase the chances a company will face a data breach. That’s why organizations need to manage risk at a macro level, not at the level where a developer is making a single decision about a single application.
In my time at Capital One, I worked on the original cloud engineering team, later implemented networking for applications across the organization, and then moved to the security operations team. An organization that size may have 10,000 or more developers making individual security decisions at every level. Consider the scenario where an organization gives all developers complete authority to make decisions without any governance. Somewhere along the way, the chances are high that people will make incorrect assumptions and implement less-than-ideal solutions from a security perspective.
Most people won’t do this intentionally, but because they don’t have in-depth — or even basic — training in how cyberattacks work and breaches happen, they don’t fully understand the implications of their actions. They also can make mistakes. Who hasn’t?!
As the decisions move up the chain to architects, managers, and directors, each individual’s choices increase or decrease risk. And as we know from the Capital One breach and many, many others, just one unfortunate architecture decision or a single misconfiguration may have costly consequences.
That’s why organizations have governance and overarching security controls and responsibilities — those which developers and others sometimes don’t like or see the point of. Ultimately, someone needs to create the security rules and monitor them across the organization.
But who should define and monitor the controls? I’ll cover that in my next post where I answer the question, “Do we really need a security team?”