Most Cybercriminals don’t bother with sophisticated attacks, they simply look for gaping holes in security defences due to misconfigurations.
All day, every day, hackers breach small businesses, hold data to ransom or take our customer data for malpractice. Hacking is now a multi-billion dollar industry with criminals and governments vying for the lead position.
Ironically, we humans are the common cause of most breaches. Human ignorance facilitates the hacker’s intent.
Poorly configured authentication, access and identity controls or poor content filtering cause vulnerabilities during cloud-based migrations and application deployments. Microsoft, World Wrestling Entertainment, Time Warner Cable, FedEx and Verizon are just a few high-profile examples of organisations that have been breached due to cloud miss-configurations.
Cloud providers have a shared security model that defines what the provider will secure and what the client is liable to secure on its own. This is typically referred to as ‘Security OF the Cloud’ (provider) and ‘Security IN the Cloud’ (client).
Misconfigured cloud-native security breaches are almost always due to the data owner’s lack of knowledge about how to use the native security controls offered on the cloud platform. Many companies don’t fully understand where the cloud provider’s responsibilities end and theirs begin.
Education and awareness for everyone involved in designing, implementing and administering cloud applications is the best method of reducing the risk of configuration errors. You should have complete consistency of security policy enforcement across all environments.
When deploying a new cloud service or migrating an existing system to the cloud, security personnel, developers, business stakeholders and appropriate upper management should all be involved in security control development and implementation.
Project leaders should ensure they have sufficient knowledge of the pre-existing security controls and strategies to take charge of the process.
A new development is the idea of intent-based security and networking, which sets up templates and/or tags for security policy and network pathing design. This moves security away from defining each new application or server, and toward defining an application/server type, which is then applied to different applications/servers as a development team creates them.
Proper security rules are then automatically applied to these new apps and servers based on their type, and the manual process is reduced greatly. This also makes change management much easier, as changing the nature of an application or server can be handled by simply re-tagging it or swapping the template it has been assigned.
Intent-based network security layers intent onto implementation, effectively bridging the traditional gap between business and security by enabling business owners and DevOps teams to determine the business intent of applications while allowing security teams to automate the response to access requests required to enforce that intent. The result is continued compliance with enterprise security intent across any IT asset, in any computing environment.