Distributed systems – especially cloud infrastructure – have become increasingly popular in recent years. However, cloud infrastructures have unique characteristics and therefore specific security demands. In this article, we’ll have a look at properties of the cloud, traditional security concepts and why they do not adequately cover security in the cloud.
The advent of cloud computing has fundamentally changed the way businesses think about and interact with IT infrastructure and services. Cloud computing offers flexibility through scalability on demand, almost unlimited storage and computing capacity, and several other benefits. However, these benefits also create a complexity in IT infrastructure and services that did not exist before. The number of systems interacting within the cloud environment, as well as the size of the environment itself increased massively. The flexibility and scalability of the cloud allows to host a huge variety of interconnected applications.
Furthermore, cloud infrastructure often deploys and manages as Infrastructure as code, adding to the complexity.
Due to this, a large amount of source code is running on these systems. Hence, dependence on external libraries is common practice leading to an integration of external vulnerabilities into the own infrastructure. Additionally, a new application added results in the system developing further e.g. increasing interdependencies between applications communicating and cooperating. This is especially valid for serverless applications, micro service applications, monitoring, and logging. These circumstances create a complex network of linked applications and hidden dependencies. It is difficult for humans to keep the overview of the cloud architecture, the workloads from different developers and existing dependencies. When this overview is lost, it leads to various crucial security issues and threats such as Identity & Access Management, misconfiguration, and a lack of knowledge about security vulnerabilities of the own infrastructure .
In the pre-cloud era, developers exclusively wrote applications while the rest of the stack – including security – belonged to IT operations.
Many organizations viewed security as an external practice once they deployed their source code in operation. Security was only one step of the development process measured in the absence of negative events and incidents, which have always been seen as something negative, rather than as an opportunity to learn and to improve. Nowadays, developers are responsible for the entire stack including security. However, security is not part of their regular workload and competences. Developers aim to improve the code they are developing by making it either faster or more stable. Integrating security into this process only adds more to the already heavy workload and complexity through necessary scans, contextual checks, and comparisons with expectations. This transforms security into an afterthought and leads to an aversion of security.
Research conducted in 2019 showed that almost 70% of developers own the security of container images, but nearly half of them will not be able to find any new vulnerabilities in those containers.
A simple update or re-creation would fix almost two-thirds of vulnerabilities in such container images. Further, an average system contained 22 vulnerabilities. Almost 90% of vulnerabilities, which don’t secure systems adequately origin from the application code itself. For more info click here. These numbers show the lack of control over security and the fact that developers are not security experts but need support, new approaches, and tools to help them adequately secure.
In summary, discrepancies between the way companies approach security and how they should address it, as well as what developers can and want to do and what they need to do are present. Companies should perceive cloud security as:
- a necessity throughout the entire process, from development to deployment to regular updates.
- as an added value.
- proactive implementation to ensure systems working as intended and unexploitable by hackers.
Thus, companies need to rethink their security strategy and go beyond traditional concepts. One of these novel approaches is Security Chaos Engineering whose general concept we will discuss in the next post.
If you are interested in more details on how A&B security experts can help establish a Security Chaos Engineering culture in your company havc a look at our SCE Program or contact us at Alice&Bob.Company!
Resources used and interesting content on this topic:
- Torkura, Kennedy A., et al. “Continuous auditing and threat detection in multi-cloud infrastructure.” Computers & Security 102 (2021): 102-124
- Rinehart, Aaron, and Shortridge, Kelly – Security Chaos Engineering (2020)
- Rinehart, Aaron – Security Chaos Engineering: How to Security Differently (2021) (https://www.verica.io/blog/security-chaos-engineering-how-to-security-differently/, last accessed 13.06.2022)
- Rubóczki, Edit Szilvia, and Zolatn Rajnai. “Moving towards cloud security.” Interdisciplinary Description of Complex Systems: INDECS 13.1 (2015): 9-14
- Basu, Ron– Implementing Quality. A Practical Guide to Tools and Techniques; Enabling the Power of Operational Excellence (2013)
- Zhang, Ni, Di Liu, and Yunyong Zhang. “A research on cloud computing security.” 2013 International Conference on Information Technology and Applications. IEEE, 2013
- Rinehart, Aaron, and Nwatu, Charles – Security Chaos Engineering: A new paradigm for cybersecurity (2018) (https://opensource.com/article/18/1/new-paradigm-cybersecurity last accessed 13.06.2022)
- Armbrust, Michael, et al. “A view of cloud computing.” Communications of the ACM 53.4 (2010): 50-58