In order to support digital transformation strategies and a large remote work force due to the pandemic, enterprises are deploying applications in cloud platforms at an increasingly rapid pace. With this accelerated application expansion comes additional network complexity and the risk of misconfiguration of any of these applications and services.
A 2021 survey found that 54% of InfoSec professionals believe poorly configured and insecure interfaces or services are a major concern when it comes to business applications. Therefore, organizations are putting themselves at unnecessary risk by not taking the precautionary steps to ensure that when new cloud infrastructure is deployed, it’s done so securely. At the same time, organizations need a process to ensure that any previously deployed cloud infrastructure remains secured. Otherwise, any misconfigurations will open up the potential for security exposure from threat actors. Misconfiguration of cloud services and resources can often be involved when a security breach occurs, so it is critical to prevent misconfigurations from occurring in the first place, or detect and remediate them as quickly as possible if they do occur– however many cloud and IT professionals struggle to determine the best place to start.
Start with building golden configurations for cloud services
Organizations need to define how each cloud service and application must be configured to ensure it is properly configured for security. These definitions become the Golden Configuration templates that can be used to determine if a particular cloud service or application is configured correctly or not. Without a proper baseline definition of how each service ought to be configured, it’s difficult to determine if something is something is misconfigured or not, so defining a standard is of primary importance.
Automate compliance checks and remediation on existing cloudinfrastructure
Once an organization has defined how cloud services should be configured, they should start building an automated process that will compare their deployed cloud infrastructure to the Golden Configurations that they have defined. This process will identify misconfigured cloud resources and determine how they are misconfigured. The process of identifying misconfigured resources must be automated, because threat actors are automating their own attempts at detecting these misconfigurations, so it becomes a race to who can identify these risks first.
Identifying misconfigurations quickly is really only half of the battle, organizations must also implement a method to automatically remediate these misconfigured cloud services. It’s not much of a benefit if you can detect a security risk quickly, but it still takes days or weeks to correct it because of manual processes. Automation must reduce the time of detection and the correction of any misconfigurations in order to truly be effective. Many cloud platforms provide the ability to generate event notifications if any cloud services are changed or modified. Organizations can optimize their ability to detect and remediate changes by integrating their automations with these event-driven services. This allows the automation to execute as soon as the cloud platform detects that something has changed in a service, and if the automation can immediately correct the configuration, there will be almost no opportunity for a threat actor to detect and exploit the misconfiguration.
Automate validation for newly deployed infrastructure
It’s clear to understand why automated compliance checking and remediation is critical for organizations to implement—misconfigurations can occur over time because of manual processes and human intervention. Because of this, organizations must also start to build automations with validation processes to avoid deploying misconfigured infrastructure. A validation process checks that a proposed infrastructure change will not violate the currently defined golden configuration standards. This is a compliance check that occurs proactively. This is different from a typical compliance check, which looks at already deployed infrastructure for misconfigurations. By implementing automated validation, an IT user can enter a proposed change to the cloud infrastructure and the automation will determine if the proposed change meets the compliance standards. If it violates the standard, then changes are not applied at all and the user is notified of the problem, so they can correct the configuration with the next request. If the changes do not violate the compliance standard, then the changes are accepted and applied to the cloud infrastructure.
