Cloud security fundamentals part 1: Know your environment

A discussion of the first of five fundamentals of cloud security: knowing your environment. (Part one in a five-part series.)

Originally published at https://snyk.io/blog/cloud-security-fundamentals-part-1/

140,000 Social Security numbers and about 80,000 bank account numbers — that’s what one attacker stole from a major financial institution back in 2019. How did it happen? The attacker used firewall credentials to obtain privilege escalation and hack into improperly secured Amazon cloud instances.

Once someone tipped off the financial institution via their responsible disclosure program, the company reacted quickly, found the misconfigured source, and fixed the vulnerability that made the data theft possible.

This breach is an example of an organization not fully knowing their environment, and how this lack of knowledge can be exploited. They were unaware of the breach until the attacker bragged about her exploit online and someone tipped them off. This is a testament to why things like intrusion detection aren’t as useful in the cloud — and why prevention and secure design (that starts with knowing your environment) are so critical. Cloud security starts with establishing full knowledge of your environment, and denying attackers discovery of that knowledge. ​​

Steps to knowing your environment

Knowing your environment is an idea that’s easy to understand but difficult to implement. For many cloud security leaders, the mental model of security still assumes a server and a separate outside world — a contained box one can defend from threats by detecting and stopping attacks in progress.

But the cloud has upended our assumptions. Even 16 years after the start of AWS, we still need to challenge the idea that cloud environments are easily knowable. In this article, we’ll lay out five ways to create visibility up and down the stack, from the inner core of your cloud environment to its outer edges.

1. MAP OUT THE CLOUD SDLC

The most important step in knowing your environment is to map your SDLC in as much detail as possible. In a cloud-first environment, this means mapping out how, when, and where your team and tools interact with the running cloud environment.

In particular, focus on mapping your code repositories, your infrastructure as code tools, and your CI/CD pipelines. A secure SDLC is one where every step is accounted for, including design, development, deployment — and all the intermediary steps, processes, and tools between.

The better you know your SDLC for your cloud infrastructure, the more efficiently you can integrate security into it.

2. CAPTURE CONFIGURATION ATTRIBUTES FOR YOUR RESOURCES

Configuration mistakes are especially risky because there’s little time to fix them. Within minutes of deploying an internet-facing resource in your environment, it’s likely been scanned by potential attackers using automation to identify misconfigurations and other vulnerabilities they might exploit. Control plane compromise attacks can be executed in a matter of minutes. So, for security-critical cloud resources, the target Mean Time to Remediation (MTTR) should be measured in under an hour.

Fortunately for cloud customers, cloud providers offer APIs that users can access to capture configuration attributes for all the resources they’re running in an environment. However, knowing your environment involves not only using those APIs — it also means expressing that captured information in a format that can then be queried with policy as code-based automation to enable teams to evaluate their security in the full context of their environment.

3. TIE CLOUD RESOURCES TO APPLICATIONS

Enterprise cloud environments can involve hundreds of thousands of cloud resources of many different types, making it difficult to tell which resources are where and how each resource is being used. To know your environment better, associate your cloud resources with your applications. By making this connection, you can more accurately identify vulnerable components that might risk the related applications — and vice versa.

This step is important because application vulnerabilities make it possible for your control plane to be compromised. The cloud control plane, as we’ve written about before, is a web of APIs that cloud providers offer developers so that they can configure and manage their cloud environments. When a control plane is compromised, usually via API keys, attackers can enter the cloud provider’s control plane and learn more about the environment. This gives them the ability to move laterally and access deeper levels of a system.

If an attacker compromises your control plane, they have broad means to modify your access and configuration settings. Then they can exploit your cloud storage or containers, and gain control of critical resources and data.

4. IDENTIFY INITIAL EXPLOIT VULNERABILITIES

To know your environment means knowing it not only from your own perspective but also from that of a would-be attacker. Otherwise, you might be like the homeowner with a front door locked by multiple deadbolts and an unlatched basement window.

First, think from the outside in. Examine the resources in your environment and evaluate them based on which could most easily serve as an initial penetration point. It’s useful to go so far as to simulate an attack to see how, for example, one penetration might lead to control plane compromise. You may even want to build or hire a red team — a group of users authorized to emulate an attack on your systems.

5. LAY OUT POTENTIAL ATTACK PATHS

Next, work from the inside out. Think about your most sensitive data stores and work backward. Which attack paths are most likely to give attackers access? Which penetration points are most vulnerable and most likely to open up those paths?

Remember that smart attackers might not move linearly. A small mistake, perhaps in your configuration settings, could allow attackers to move laterally and give themselves more and more access. To truly know your environment, you need to identify the paths, no matter how circuitous, attackers might take.

In particular, focus on regularly rotating your API keys and monitoring identity and access management (IAM) settings and resource access policies (both of which might be too permissive). The more permissive your settings and policies, the more likely an attacker will be able to exploit them.

Know thyself — only then will security become possible

Comprehensive knowledge of your environment is a precondition to cloud security — as is denying your adversaries discovery of that knowledge. A fancy new tool or a highly paid consultant might promise security, but neither can deliver on your security needs unless you create knowledge and visibility first.

Knowledge and visibility, however, aren’t the result of mere observation. Take the five steps outlined above to intentionally and deliberately build visibility into your cloud systems.