Configuration-related errors continue to result in avoidable losses of customer data and, consequently, their trust and loyalty, as well as revenue.
The recent T-Mobile breach is reported to be the result of a misconfiguration that made an access point publicly accessible on the internet. Luckily, there are tactics one can deploy to avoid cloud configuration breaches and prevent error from both technology and humans.
1. Ensure the protection of your network
To avoid unauthorized access, you must secure your ports and certify that your firewalls are configured properly. Micro-segmentation, network access control lists (NACLs), and software defined networking (SDN) are a few of the functionalities that can aid in providing network security.
2. Utilize gold images and approaches
Using security-hardened gold images and approaches such as the Amazon Machine Images (AMIs) imposes adherence to corporate security and compliance requirements. When security, dev and ops work together to define golden AMIs, they can be designed with security controls built in.
3. Include automation
When it comes to protecting your data, the last thing you want is a security team that is burnt out, as that is a breeding ground for human error. Automation relieves humans of mundane and repetitive tasks. Including automation as a tactic can both assist in removing human error and provides the employee additional free time to focus on other, more important tasks. For example, when automation is added to golden AMIs, operations can pull the applicable image from a golden AMI library, effectively replicating best practice instances with reduced opportunity for human error and streamlining the build process.
4. Monitor configurations
Multiple tools are available to monitor configurations to ensure they are functioning appropriately, advising system owners when a configuration has moved out of its expected state and allowing them to address the change. Coupling the appropriate tools with automation can also expedite the workflow which will allow for properly updated systems.
5. Codify system configurations
Infrastructure as Code (IaC) significantly reduces error by codifying system configurations. Through this method, configuration files are distributed more easily, which ensures consistency and reduces risk. You can begin by shifting security “left” – building it in to the infrastructure early on, so it’s integral to the process and not an add-on. If you write your IaC with secure configurations from the very beginning, then your infrastructure is secure by nature. If something changes, you can update your infrastructure’s code template, automatically updating the architecture across the enterprise.
6. Properly manage changes
Adhere to your change management process and ensure that your configuration files have the same controls as your other source code. Any configuration change needs to be reviewed by a DevSecOps or cybersecurity center of excellence teams so that all changes stay in the safest possible state.
7. Make it an ideal environment
The cloud is the perfect environment for immutable infrastructure, which treats infrastructure parts as if they were expendable. Rather than creating a whole new service or application, unpair your app components from your infrastructure so when the elements need an update, it can be easily replaced by a new security hardened gold image as mentioned above. This reduces your risk of a breach during the change management process.
8. Verify everything
Across all your cloud tiers, regularly conduct self-audits and always make sure to test your security controls. Some programs are designed specifically to sabotage your entire system – if that system fails, you know your tactics are working. We commonly see test projects turn into production reality, and unfortunately developers don’t go back to verify security is to production grade, resulting in security weaknesses.
9. Make it easy
Make it easy to follow secure processes; the easier it is, the more likely your teams will comply and the more secure you’ll be! Cloud helps achieve this by being clear which security responsibilities belong to you and which the cloud provider is responsible for. And cloud automation helps a lot, too. From immutable infrastructure to continuous compliance and security as code.
Above all, be your own best tactic
Stay vigilant and double check all work for any red flags, unusual activity, or even near system failures. The tactics listed above aid in managing misconfigurations properly and creating additional productivity enhanced by cloud automation. Avoiding a breach will save both you and your company stress, time, and money.