Common Challenges in Cloud Engineering

Are you addressing the root causes of your cloud security threats or just treating the symptoms? The Cloud Security Alliance's Top Threats to Cloud Computing 2024 report illuminates critical security challenges, but many of these threats result from overlooking foundational practices in favor of more complex solutions. My takeaways: 1️⃣ Misconfiguration and change control - Misconfigurations often signal that organizations advance to complex cloud setups without mastering the basics. For example, the Toyota data breach, where a decade-long exposure was due to human error and inadequate cloud configuration management, highlights the need for robust configuration management and continuous monitoring. 2️⃣ Identity & Access Management (IAM) - IAM issues frequently stem from inconsistent governance. The JumpCloud breach, where attackers exploited over-permissioned accounts and poor separation of duties, underscores the importance of regular policy reviews and strict governance practices. 3️⃣ Insecure interfaces and APIs - Securing APIs is crucial, but the rush to innovate can sometimes overshadow security. The Spoutible (an X alternative) API vulnerability, which exposed user data due to poor security practices, serves as a reminder to embed security into the API development process from the start. What can you do? 1) Focus on fundamentals: To address misconfigurations, prioritize strong configuration management and continuous monitoring. Look at tools like Prisma Cloud by Palo Alto Networks. 2) Regular governance reviews: Prevent IAM issues by regularly reviewing and adapting policies. Ensure all your applications are part of your IAM strategy, not just those supporting standards like SAML, OIDC, and SCIM. (Cerby can help you with these apps.) 3) Balanced innovation: Integrate security into development processes to avoid compromising security in a rush to innovate (see Secure by Design from the Cybersecurity and Infrastructure Security Agency). Focusing on the basics and doing them well can mitigate most of the risks in this report. Props to the authors Jon-Michael C. Randall, Alexander S. Getsin, Vic Hargrave, Laura Kenner, Michael Morgenstern, Stephen Pieraldi, and Michael Roza. #Cybersecurity #cloudsecurity #api Cloud Security Alliance

Cloud security can cause so many problems at any startup. After looking at 100s of AWS accounts, here's what we usually see overlooked: 1. Access Management (Who exactly can log into your cloud accounts? Too many startups give everyone admin access because it's easier.) 2. Multi-tenancy Risks (Your data is sitting on the same servers as other companies. Make sure you understand how it's being isolated.) 3. API Security (All those convenient APIs connecting your systems are great but...they're also a potential door for someone to walk through.) 4. Shared Responsibility Model (AWS isn't responsible for securing your applications - just their infrastructure. The rest is on you) 5. Credential Management (Those AWS access keys you copied to your local machine? They're probably still there, and that's a problem.) 6. Cross-Cloud Security (AWS, GCP, and Azure each have different security models, and they don't automatically talk to each other!) 7. Compliance Foundation (If you're planning to sell to banks or healthcare, you need to build with compliance in mind from day one) It's not all "someone hacked my EC2 instance and started mining bitcoin" - some of these are simple best practices that go out the window when it's a team of 5. Understandable, and solvable. None of these are impossible problems, but each can get ugly fast. What did I miss?

If I were Head of Platform Engineering dealing with high cloud costs, I wouldn’t just cut them down – I’d build a cloud-conscious culture. Here’s why that matters and how to make it happen: Cloud cost tools and frameworks are only as effective as the mindset behind them. No product on the planet will help you control costs if your organization does NOT prioritize cost-conscious thinking at every level. Here’s an extreme example: A high-flying SaaS company we worked with at Yotascale justified hiring decisions based on their cloud bill. More infrastructure meant more team members, and no one questioned the high cloud costs. This mindset makes cloud cost-management efforts irrelevant – even the best visibility tools can’t fix a culture like that. But contrast that with organizations where fiscal responsibility is baked into daily conversations. They discuss costs in team meetings, one-on-ones, and even at the board level. In these companies, everyone understands why cloud costs matter – that it’s not just about saving money, but it’s also about protecting jobs, improving business health, and reinvesting in innovation. Saving $5M could mean fewer layoffs in tough times and more resources for growth during good times. The challenge with cloud costs is that they’re often a lagging indicator. By the time costs hit the radar, it’s usually too late – leading to panic-driven decisions like slashing resources without a long-term plan. That’s why building for the future with cost in mind is NECESSARY. Proactive planning prevents reactive decisions. So, how do you create this cloud cost-conscious culture? It starts with the hiring process. Engineers today need to design systems that aren’t just secure and reliable, but economically efficient. Ask candidates how they’ve built cost-efficient systems in the past. Their answers will tell you whether they’ve lived a culture of cloud cost consciousness or not. Cloud cost management isn’t just a technical issue – it’s a cultural one. Build the right mindset, and the rest will follow.

The CSA recently released a new report that shows top threats to cloud computing in 2024. Thales also released a report that describes top reasons for breaches in the cloud. 🧐 Here’s a summary and what you should know: Overall, “The survey […] shows a continuing drop in the ranking of traditional cloud security issues that are the responsibility of cloud service providers [...]” 🙌 Focusing on the top 4 from CSA, we have: 📌 Misconfiguration & inadequate change control 📌 Identity & Access Management (#IAM) ← why do you think I’m constantly talking about this and have entire courses & labs dedicated to this topic? 😉 📌 Insecure interfaces and #APIs 📌 Inadequate #cloudsecurity Strategy ⛔️ Misconfiguration & Inadequate Change Control ⛔️ ➡️ What this is: “Inadequate change control [...] can lead to improper configurations that remain undetected” “Misconfigurations are the incorrect or sub-optimal setup of cloud computing assets that can leave them vulnerable to unintended damage or external/internal malicious activity. Lack of cloud system knowledge or understanding of cloud security settings and nefarious intentions can result in misconfigurations” (train your team, folks 😉) 💡 Examples: - Secrets management - Disabled monitoring/logging - Ports/services left open/running - Storage access - Subdomain hijacking Etc… ⛔️ Identity & Access Management (IAM) ⛔️ I cover this a lot in other posts, workshops, training, etc, so I won’t expand on it here. ⛔️ Insecure Interfaces & APIs ⛔️ ➡️ What this is: “APIs and UIs become vulnerable for various reasons” 💡 Examples: - Inadequate authentication - Lack of encryption - Insufficient input validation, - Poor logging and monitoring, - Outdated or unpatched software etc… ⛔️ Inadequate Cloud Security Strategy ⛔️ ➡️ What this is: Strategically thinking about cloud deployments beforehand by “considering external factors, existing implementation, and selection of cloud technologies, priorities, and trends toward creating a high-level plan or approach.” 💡 Examples: Worries about vendor lock-in, out-of-control costs, picking the right tool/service for requirements today and in the future, etc… 👉👉 Shifting to the root causes from Thales, there are three I want to highlight because they have a common cause (human error): 📌 31% due to a misconfiguration or human error 📌 28% due to exploitation of a known vuln 📌 17% due to failure to use MFA for privileged user accounts 🙋♂️ I’d love to hear from you. What do you think about these results? Do they accurately represent your challenges? What you think leads to the top cloud threats and root causes of cloud data breaches? Let me know in the comments below! Also, be sure to share this with your colleagues. This is important info!

☁️ 𝗖𝗹𝗼𝘂𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝘀 𝗮 𝗰𝗼𝗺𝗽𝗹𝗲𝘅 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲... Cloud security professionals face many hurdles like: • Hundreds of resource types can be created in the cloud with more introduced all the time  • Dozens of teams building resources  • Potentially hundreds or thousands of cloud accounts to manage  • An evolving threat landscape  🤔 𝗦𝗼 𝘄𝗵𝗲𝗿𝗲 𝗱𝗼 𝘄𝗲 𝗯𝗲𝗴𝗶𝗻? Here’s how I think about the problem but remember this is just the start 👀 𝗚𝗮𝗶𝗻 𝗛𝗼𝗹𝗶𝘀𝘁𝗶𝗰 𝗩𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆  • Use Cloud Security Posture Management (CSPM) tools like Wiz, CrowdStrike, or Prowler to inventory and scan your environments regularly ✅ 𝗗𝗲𝗳𝗶𝗻𝗲 𝗦𝘁𝗮𝗻𝗱𝗮𝗿𝗱𝘀 𝗮𝗻𝗱 𝗕𝘂𝗶𝗹𝗱 𝗣𝗼𝗹𝗶𝗰𝘆 𝗖𝗵𝗲𝗰𝗸𝘀 • Start with out-of-box rules from your tools • Tailor rules to your environment: modify severities, remove noise, and introduce custom rules as needed ⚠️ 𝗘𝗻𝗳𝗼𝗿𝗰𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗚𝘂𝗮𝗿𝗱𝗿𝗮𝗶𝗹𝘀 • Tools will generate a backlog of findings and remediation efforts will likely face some form of pushback or delay • By putting security guardrails in place like AWS Service Control Policies, Kyverno for Kubernetes, or code scanning, we can prevent net-new findings (e.g., misconfigurations, vulnerabilities) from being introduced in the environment 📋 𝗣𝗿𝗶𝗼𝗿𝗶𝘁𝗶𝘇𝗲 𝗮𝗻𝗱 𝗥𝗲𝗺𝗲𝗱𝗶𝗮𝘁𝗲 • Analyze findings to identify those with significant risks to your organization • Build automated remediation workflows with Cloud Custodian or similar to address existing issues at scale 🔍 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 • Regularly validate that your preventative and detective controls are working as expected 🥷 𝗔𝗱𝘃𝗲𝗿𝘀𝗮𝗿𝘆 𝗮𝗻𝗱 𝗧𝗵𝗿𝗲𝗮𝘁 𝗦𝗶𝗺𝘂𝗹𝗮𝘁𝗶𝗼𝗻  • Assess your environment against common and emerging threats • Understand and simulate adversarial attacks like Privilege Escalation, Lateral Movement, and Defense Evasion • Did you detect these or is there more work to be done? ------------------------------------------------------------------------------- Like I said, it's just the tip of the iceberg... We didn’t even cover cloud-specific security configurations, secure development and deployment processes, application security, IAM, Networking, containers, etc…. 𝗪𝗵𝗮𝘁 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗲𝘀 𝗼𝗿 𝘁𝗼𝗼𝗹𝘀 𝗵𝗮𝘃𝗲 𝗽𝗿𝗼𝘃𝗲𝗻 𝗲𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲 𝗶𝗻 𝗲𝗻𝗵𝗮𝗻𝗰𝗶𝗻𝗴 𝘆𝗼𝘂𝗿 𝗰𝗹𝗼𝘂𝗱 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆? #cloudsecurity #cloudengineering #cloud #aws #azure #gcp