Webinar recap: The missing story with every cloud breach

Snyk’s Chief Architect, Josh Stella, recently hosted a webinar about cloud security. Stella was the co-founder and CEO of Fugue, a cloud security and compliance company that was acquired by Snyk. With the capabilities of Fugue, Snyk will bring its developer-first security platform into the cloud security space.

During this talk, Stella discussed the missing story in every cloud breach: the tale of how, when, and where attackers operate in the cloud. He also revealed a methodology for securing cloud resources against modern attacks.

In this blog post, we’ll highlight some of the key insights from the presentation.

How the cloud has changed security

As a starting point, it’s crucial to understand how cloud computing has changed the nature of security. In the past, the data center was relatively isolated and hardware-based, so securing the perimeter was an effective focus. In comparison, today’s cloud-based infrastructure approach is defined by software because every customer of a particular cloud provider is sharing the same hardware.

The benefit of a software-defined cloud is that it’s highly dynamic and programmable, which allows companies to automate many different functions, including cloud security. However, this flexibility comes with complexity, since modern cloud environments consist of hundreds of thousands of components and cloud providers offer hundreds of services.

The challenge is that the act of configuring these components and services is increasingly shifting to developers using infrastructure as code. And in turn, requiring development teams to take on additional responsibilities for cloud security.

Attackers have also changed how they operate

The cloud has also impacted how attackers operate. In the pre-cloud era, hackers would choose a target and then search for vulnerabilities to stage an attack slowly and methodically. Today’s hackers use automated tools to search for vulnerabilities, pick their target, and then quickly attack.

This means there is no security through obscurity. If you have a public facing IP address or DNS, it will be scanned within minutes of it appearing. You don’t have hours or days before you become a potential target to hackers.

Much of the news around prominent cloud breaches are misleading when they suggest that breaches come down to a single vulnerability or misconfiguration. The reality is that most of them are the result of poor system designs that fail to secure the control plane. Attackers may initially penetrate a system through a single misconfigured cloud server, but they’ll then attempt to move laterally through the system to locate and extract valuable data.

The five fundamentals of cloud security

While securing the perimeter made sense for traditional data centers, it’s no longer enough to stop attackers in today’s cloud environments. According to Stella, there are five fundamentals that form a virtuous cycle for consistently improving cloud security.

1. Know your environment

Knowing your environment is essential for both hacking and protecting cloud systems. For example, knowing what vulnerabilities actually look like in the context of a specific cloud environment is critical for minimizing cloud security risks.

2. Prevention and secure design

Since misconfigurations are one of the primary entry points for attackers, it’s crucial to find and remediate them when developing infrastructure as code and CI/CD pipelines. Considering a secure cloud architecture during the design phase can also help prevent attackers from moving laterally through a system if they manage to penetrate its perimeter.

3. Empower your developers

While developers can learn about secure design through training and certifications, the best way to share knowledge about cloud security best practices is through automation and tooling. IaC security tools can empower developers with actionable security guidance within their existing DevOps workflows.

4. Policy as code

Policy as code is software that can assert what is safe and unsafe within infrastructure as code and running cloud environments. Meaning policy as code enables security teams to deploy and enforce security policies automatically across the software development lifecycle (SDLC) at scale.

5. Measure what matters

Every organization will want to measure different security metrics, so it’s important to determine what matters most to an individual organization and quantify it. It may be important to track how many vulnerabilities you’re eliminating pre-deployment, how much you’re reducing deployment approval times, or increased cloud engineering productivity. Measuring  helps ensure progress and provides critical information back to the first phase of this five-step cycle.

The customers that Snyk has that are really successful at cloud security are doing these five things constantly.

Developer-first cloud security with Snyk

Snyk has recognized the challenges developers face when it comes to cloud security, and aims to further alleviate the burden. By integrating cloud security posture management into the DevSecOps workflow, Snyk will help organizations better understand their cloud environment, design more secure systems, and empower developers to ship more secure software.

If you want to learn more, check out the full webinar:The missing story with every cloud breach—and what you need to know and do.