A study by Ponemon and IBM indicates that misconfigured cloud servers cause 19% of data breaches. This is an expensive problem with an average cost of half a million dollars per breach. This figure does not consider the potential PR nightmare that could take down the company.
Today the pandemic has us working at home, which makes us all more dependent on cloud computing. In addition to its other benefits, the cloud offers more modern security measures than on-premises platforms, so the Global 2000 made a quick push to public clouds. This rapid migration resulted in mistakes or oversights that have yet to be corrected, as conversion speed became more of a priority than caution.
This is not a new or rare problem, pre- or postpandemic.
What’s the root cause of this “rush” problem? How can we reduce the number of misconfigurations? I wish I could blame this on some particular trait or identify a common mistake, but the reality is that humans are flawed and unpredictable in their flaws. Although we can reduce the number of mistakes or oversights that occur, they can never wholly be eliminated.
The notion of zero trust may hold the answer. The bottom line of zero trust is just that—don’t trust anything or anybody. Everyone and everything must be verified, including cloud services that are often misconfigured. Because everything is constantly being re-verified, the risk of a breach goes as down as the security becomes more rigorous.
If we trust humans to configure cloud resources and services correctly, which removes as much risk as can be removed, about 20% of those security configurations will still be misconfigured. The notion of applying the concept of trust to deal with humans is to define humans as almost never trustworthy.
We’re at a point now where we can afford to automate all security. This includes checking the configurations and frequently rechecking the configurations, as well as being proactive around the use of identities, encryption, key management, and multi-factor authentication.
Most people who manage security are a bit distrustful of this kind of rigor, perhaps because giving up control of cloud security to automation is scary. What’s scarier is the number of human-caused misconfigurations that will likely increase as our cloud deployments become more complex and heterogeneous. When compared to $500,000 per incident, the justification to spend the money on security rigor allows us to get off cheap.
The call to action? Remove humans from the security processes and automate as much as possible. At the very least, validate and verify all manual work and do so often. In the long run, moving from “trust but verify” to zero trust is better for people since everyone can keep their jobs.