Cloud – FireMon.com https://www.firemon.com Improve Security Operations. Improve Security Outcomes. Tue, 26 Dec 2023 22:51:52 +0000 en-US hourly 1 https://wordpress.org/?v=6.4.3 https://www.firemon.com/wp-content/uploads/2023/03/256px_FMLogoBug_Color-100x100.png Cloud – FireMon.com https://www.firemon.com 32 32 Improving the Grand Unified Theory of Cloud Governance https://www.firemon.com/improving-the-grand-unified-theory-of-cloud-governance/ Tue, 24 Oct 2023 16:31:56 +0000 https://www.firemon.com/?p=1656 A smidge over a year ago I wrote the Grand Unified Theory of Cloud Governance. It’s a concept I’ve been playing with for about 5 or 6 years to try and encapsulate the root cause of the difficulties companies have adapting to cloud. Sure, the title is a bit egotistical, but I used to be a Gartner analyst so, shrug? 

Like any (hopefully) good theory I keep evolving it over time as I work with more companies and talk to more people. I’ve been using it a ton over the past couple years in my speaking and training, especially as I’ve been pulled into more governance scenarios. Time and time again the major problems I run into aren’t so much technical, but organizational. Yes, there are many MANY technical complexities to cloud security, and they can and do result in breaches, but in my experience the governance issues far outweigh the technical ones. 

Good governance can’t patch a zero day, but bad governance means the attacker never needs one.

The core of the theory hasn’t really changed, I just keep working on better ways to explain it. I also decided to trim it down slightly. Here’s how I currently plop it onto my slides:

  • Cloud decentralizes operations and infrastructure
  • But cloud unifies all administrative interfaces
  • And puts all admin portals and resources on the Internet, protected with a username and password

Going back to the previous version the changes are small but also big:

  • Cloud has no chokepoints, and thus no gatekeepers.
  • All administrative and management functions are unified into a single user interface that is on the Internet.
    • Protected with a username, password, and, maybe, MFA.
  • Technology evolves faster than governance.

I still use the “no chokepoints and gatekeepers” in my talk track but I found that it’s a longer way of saying “decentralized”. The fundamental issue is the independent control of the full stack outside of centralized infrastructure. That a dev or app team can build and manage all of their own infrastructure in their own environment with just a credit card. Now there are still some dependencies and controls, especially in the data plane or when you need to tie back into networks, but that doesn’t change the primary point.

Trying to completely recentralize is rarely going to work.

Next, I didn’t really change the unification of administrative interfaces. To expand, we decentralized all the infrastructure and control at the deployment level, but everyone, in the world, uses the same web console and API endpoints. 

Attackers have one gateway to infinite targets.

Then I took the sub-bullet from version one and made it bullet 3. These admin portals are all on the Internet, and by default use little more than a username and a password. All resources are also one setting away from being on the Internet, just ask all those S3 buckets and ElasticSearch clusters.

It really is that simple. Teams manage their own stuff independently. They all, around the world, use the same web portals and API endpoints. And any idiot with the right credentials can poke and prod at the back end of your “datacenter”.

Now the crazy part; this was all laid out in 2011 in NIST 800-145, the 2 page NIST Definition of Cloud Computing. That defined the five essential characteristics of cloud computing as:

  • On-demand Self Service
  • Broad Network Access
  • Resource Pooling
  • Rapid Elasticity
  • Measured Service

Take the first three points and we have:

  • Teams manage their own stuff
  • It’s all on the Internet
  • And all based on collective resource pools

Alright, so what does this all mean what do we do?

Accept it.

That’s the first step. Understand the problem and use it as a lens to devise our solutions. As I wrote recently in my Strong Authorization post:

Because they aren’t used to everything (potentially) being on the Internet. The entire management plane is on the Internet, so if an attacker gets credentials, you can’t stop them with a firewall or by shutting down access to a server.

Start there. Accept the base reality. What can we do to reduce that risk? To reduce those attacks? I think the most impactful choice is to focus on IAM, and the intersection of governance and IAM. Who do you have manage permissions? Access? What security controls can prevent, detect, and correct IAM related attacks? What are your processes around IAM? Do your incident responders know the deep ins and outs of the IAM for your given cloud provider(s)? Do you use JIT/Strong Authorization? How do you manage IAM for contractors and external services?  

Start with your IAM governance and processes. Then choose and use technologies to support them. This is the single most impactful way to improve your cloud security. I really hope I’m not the first person to tell you that.

]]>
A Totally Cloud-Biased Retrospective of RSAC 2023 https://www.firemon.com/a-totally-cloud-biased-retrospective-of-rsac-2023/ Thu, 11 May 2023 15:21:47 +0000 https://firemon2023.wpengine.com/?p=993

I had a bit of a weird moment a few weeks before the RSA Conference. I was grumbling a bit about finishing my slides, which were late due to an agenda change, and my wife just looked at me and asked, “do you remember how excited you were that first year you got to speak?” 

Ah. Perspective.  

I get that some people like to knock on RSAC as being too big or too focused on vendors, but I strongly suspect most of those people don’t look much at the agenda or go to any of the sessions. I have a bit of a different relationship with the conference as someone on the Program Committee who has given dozens of presentations (my record year was 7 sessions and panels… never again), and attended as an analyst, user, and now as a vendor. Yes, I enjoy the social events, but in the end, this is a work conference, and my main goal is to come home with new ideas, relationships, and knowledge that helps me improve professionally. RSAC 2023 did not disappoint.  

The session content this year was incredibly strong. I made new connections with some very smart people, and carved out some quality time with friends and peers to swap the kinds of ideas that inspire me when I head home. Here are some of my key takeaways, which are totally biased around cloud-related topics because that’s what I’ve dedicated the last 12 years of my life to. 

The Content was Strong and Technical 

I was only able to attend a few sessions, but as a Program Committee member I have to review all the sessions in my track (Cloud and Virtualization). I can’t speak for all the tracks, but we ended up with some top-notch content. It’s hard to pick only a few sessions, but these (from my track) really stood out (links to the sessions for those of you with on-demand access): 

Top 10 Ways to Evolve Cloud Native Incident Response Maturity by Sarah Currey and Anna McAbee: https://www.rsaconference.com/usa/agenda/session/Top%2010%20Ways%20to%20Evolve%20Cloud%20Native%20Incident%20Response%20Maturity 

Walking on Broken Clouds by Chris Farris: https://www.rsaconference.com/usa/agenda/session/Walking%20on%20Broken%20Clouds 

M365 Adversary ROI: Microsoft Cloud Attack Insights by Aaron Turner and David Etue: https://www.rsaconference.com/usa/agenda/session/M365%20Adversary%20ROI%20Microsoft%20Cloud%20Attack%20Insights 

Cloud Agnostic or Devout? How Cloud Native Security Varies in EKS/AKS/GKE by Brandon Evans: https://www.rsaconference.com/usa/agenda/session/Cloud%20Agnostic%20or%20Devout%20How%20Cloud%20Native%20Security%20Varies%20in%20EKSAKSGKE 

The Hacker’s Guide to Cloud Governance by Me: https://www.rsaconference.com/usa/agenda/session/The%20Hackers%20Guide%20to%20Cloud%20Governance 

Economic Headwinds are Real and Security Won’t Escape This Time 

One of the best parts of RSAC is spending time with friends and peers from across the industry. Stick around long enough and the friends from your 20’s and 30’s are now managers and executives in their 40’s and 50’s. Survive that long, and you start talking more about economics and less about the vulnerabilities of the day.  

It’s clear that many organizations are battening down the financial hatches. Budgets are under more scrutiny, and cloud and security budgets are very high on the list for “optimization”. Much of this is driven by uncertainty; no one is really sure how current economic trends will impact daily operations, but all are trying to minimize costs just to be safe.  

In previous economic downturns security has tended to avoid the worst cuts. But my suspicion is that the security industry has moved past a primary growth phase where organizations were still covering the basics with fundamental investments, and now organizations are looking for more cost optimization. This feels especially true in cloud, including security, where spending was less planned or constrained and is now under heavy scrutiny.  

 I do think this puts cloud security in a rough spot because, in my opinion, we still haven’t matured our foundation and the reality is organizations need to spend on people, skills, and tools to secure this still rapidly evolving set of technologies. It’s one reason we released FireMon Cloud Defense Free. (Totally free, enterprise scale, no-strings attached). 

AI Didn’t Dominate Because Printers are Slow 

By the time the big AI tsunami of 2023 hit most of the vendors on the show floor had long sent their booth designs to the printers. You could walk around the floor and just feel the seething frustration at not being able to prominently display new AI capabilities that are almost ready for development and look really cool on that napkin on booth walls and branded swag. 

AI was a big topic of conversation, but most of the show floor was still stuck on Zero Trust and Attack Surface Management. Look, the lines between a trade show and a fashion show are slimmer than you might think. Every year some trend seems to dominate based on what’s hot in the press. 

I had one of our SE’s ask me if I “saw anything new or exciting this year?” After 20 years of RSA I can confidently say I will never see anything new or exciting on the show floor again. Life works in increments, not leaps. Yes, new and exciting things in security do happen, but I hear about them in private conversations or even the occasional session, not on the show floor. 

Containers are the Fourth Cloud 

Kubernetes, AKA K8s, AKA Kubes may nearly always be the wrong choice for organizations not named Google, but that doesn’t stop anyone. Kubernetes is very complex to both implement effectively and secure correctly. Bear in mind, I am neither anti-containers nor anti-Kubernetes (we use it a bunch in our free Policy Analyzer tool). But I consistently see organizations increase costs, complexity, and risk by using Kubes when a simpler container option is a better fit, or poorly implementing the technology. 

But after you topple me from my soapbox, it is abundantly clear that Kubernetes is here to stay and is effectively the Fourth Cloud Platform (after AWS, Azure, and GCP) due to scale, complexity, and the deep abstraction. Although I’m more likely to visit Rivendell than see a truly cloud agnostic application, adoption is high, benefits can be found, and Kubernetes is becoming ubiquitous in both datacenters and cloud. Security professionals need to get up to speed, understand the technology, and learn how to secure it. 

Risk-Misaligned Security is a Great Way to Waste Money 

Pro-tip: you don’t need to encrypt everything, you don’t need to apply the same security controls to every single environment, you can let dev teams have sandbox cloud accounts, and changing passwords every 90 days when you have MFA in place is just annoyingly pandering to auditors. 

How does this rant relate to RSAC? 

I saw two things at the show that triggered this observation. The first was the positioning of many products on the show floor. There was no shortage of FUD (and there will never be a shortage of FUD) and if you bought only one product in every represented category you would probably spend more money than someone recently lost buying and breaking a certain social media platform.  

That said, I also had, heard, or overhear plenty of conversations where people were looking for products in categories without aligning it to the actual risk and threat models for their organization in general, and application stacks in particular. This has been a huge problem in cloud from the start- a focus on solutions before understanding the underlying problem. 

You only have $10. What fraction on that do you want to spend encrypting everything in cloud vs. encrypting only the things that matter using the encryption technique that will stop the threat as defined in the threat model? And what’s left over for IAM defenses, which is maybe/probably the much higher risk? 

The RSA Conference has absolutely improved since I started attending over 20 years ago. The content is generally much stronger, the attendees that go to sessions (and not just the show floor) represent the wide range of our profession, and it is absolutely a great opportunity to learn, exchange ideas with your peers, meet with existing partners and check out new vendors. 

Get 9x
BETTER

Book your demo now

Sign Up Now

]]>