Transcript
Mark Nunnikhoven [0:07]
The cloud is an interesting place to build solutions for customers. It provides easy access to levels of technology that simply weren't available a decade ago. You can now launch the equivalent of an entire data center with a single command. This power has been a huge amplifier for teams around the world. The assumption was that without amplification, the security challenges that we see on premises would grow as well. Teams should be struggling with zero days, vulnerability chains, and shadow IT. It turns out, they aren't, at least those issues are nowhere near the top of their list of concerns. The top security challenge for builders in the cloud is actually very straightforward. Their biggest challenge is making mistakes that come in the form of service misconfigurations. Now I know that at least a few of you have probably raised your eyebrows at that statement and I will back it up in a minute, but first let's look at the evidence around the initial assumption that most people make about cloud security. They assume that the cloud service providers themselves are a big risk. The data doesn't support this at all. Each of the four hyperscale service providers, Alibaba Cloud, AWS, Google Cloud, and Microsoft Azure have had two security breaches over the past five years combined. Now, before I explain each of these it's important to note that each of the Big Four have had to deal with a ton of security vulnerabilities over this timeframe, a large number of cloud services are simply managed service offerings of popular commercial or open-source projects. These projects have had various security issues that the providers have had to deal with. The advantage for users, the builders, is how operations work in the cloud. All operational work, and make no mistake that security is operational work, done in the cloud follows the shared responsibility model. It's very straightforward. There are six primary areas where daily operational work is required and depending on the type of service that you're using in the cloud, your responsibilities shift. If you're using instances or virtual machines, you're responsible for the operating system the applications running on that OS and your data. And as you move to entirely managed services, you're responsible just for the data that you process in store with that service, but for all types of cloud services you are responsible for the Service Configuration. Now despite having a clear line of responsibilities the providers actually offer a number of features that help you meet your responsibilities and adjust the service to suit your needs.
Mark Nunnikhoven [2:39]
Now looking back at those two security issues from the providers over the past five years. The first one we'll look at is from March 2020. In this case, Google Cloud paid out $100,000 reward through their bug bounty program to a security researcher who found a privilege escalation in Google Cloud Shell. This is a service that provides a browser-based interface to the command line of a virtual machine running in your account, and under the covers the shell is a simple container running an application that provides the required access the researcher noticed that they were able to use a socket connection in that container to compromise the host machine and escalate their access. The root cause, misconfiguration in the access to that socket. The second example is from October 2020 for this one we turned to Microsoft Azure. Here an issue was reported in the Microsoft app services offering this vulnerability allowed an attacker to escape the expected boundaries of the service and access a limited scope deployment server with elevated privileges. The reason, a misconfiguration in the open-source tool that provides that provided the web hosting service in this app. Now, in both cases, the vulnerabilities were disclosed quickly and responsibly, and the issue was fixed without any reported customer impacts, but both of these cases were in higher level cloud services. These are services that the providers teams built using other services on that platform. So as a result, and in line with the shared responsibility model, they were at risk of a service misconfiguration, even the hyperscale providers face this challenge. Now there's more evidence to support the fact that misconfigurations are the biggest issue in cloud security. Security researchers in the community that study cloud issues have all published findings that align with this premise that whether that's from other security vendors, or industry organizations the findings all agree, 65 - 70% of all security issues in the cloud start with a misconfiguration, but surveys and targeted research projects, only go so far.