Addressing Cloud Security Risks: Part 1 - Misconfiguration

A brief on addressing an important cloud security risk - misconfiguration.

In this multi-part series, I explore the top five cloud security risks that I've seen early stage startups encounter, along with common causes and mitigation best practices. In a previous post, I covered Top 5 Cloud Security Risks for Startups - today, I'll address one of the key risks - misconfiguration.

Cloud security risk - misconfiguration
Cloud security risk - misconfiguration

Accountability / responsibility

  • Understand the shared responsibility between you and the cloud service provider (CSP). Depending on the deployment model, the responsibility matrix will differ, but ignorance, misunderstandings, or wrong assumptions can lead to major blind spots. See these guides from AWS and Google Cloud.
  • Understand your contractual and regulatory compliance obligations. This is not just applicable to CSP contracts, but also your own customer contracts, the jurisdictions that you operate in, and the data that you process. Both AWS and Google Cloud offer compliance resources to help you get started.
  • Understand data residency and sovereignty requirements, if any. This was traditionally applicable to highly sensitive or regulated industries; newer data protection laws and regulations (like GDPR) may introduce regional requirements, but are generally applicable across industries.
  • Understand security requirements of your customers and business partners. Supply chain attacks and breaches are getting increasingly common, and vendor risk management should be on your priority list.
  • Finally, even if you use outsourced services, always remember that you can outsource responsibility, but you cannot outsource accountability.

Secure defaults

Real-time visibility

  • Configure your cloud environments to receive critical account-related and technical notifications e.g. set up Essential Contacts for Google Cloud. Subscribe to security bulletins and keep abreast of the latest vulnerabilities.
  • Use cloud security posture management solutions like Google Cloud Security Command Center, AWS Security Hub, or other multi-cloud solutions for organization-wide security posture and real-time threat visibility.
  • Integrate the alerts/findings from these solutions with existing security operations tools, ticketing and notification systems.

Automation (infrastructure-as-code / policy-as-code)

  • Use infrastructure-as-code (e.g. Terraform) to provision cloud resources and configuration as far as possible. Both AWS and Google Cloud offer robust support for Terraform.
  • If you want to take it a notch higher, you can use policy-as-code to define and deploy policies and rules, and track/remediate deviations along the way.
  • Ideally, use workflows/pipelines for key tasks e.g. provisioning resources, assigning permissions, deploying workloads - in general, follow the simple "no humans in production" approach when possible.

If you found this post useful, feel free to read others in this series:

Subscribe to alphasec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.