Observability is security’s way back into the cloud conversation

In this Help Net Security interview, Esteban Gutierrez, CISO and VP of Information Security at New Relic, discusses how the adoption of cloud infrastructure is outpacing security readiness. He shares strategies for overcoming common misconfigurations and optimizing access controls in the cloud.

Do you think the speed and scale of cloud adoption have outpaced organizations’ ability to configure and manage their environments properly? Why or why not?

The speed and scale of not only cloud adoption but also the business pressure driving adoption have challenged most organizations, inhibiting them from managing their environments properly. In the race to understand, adopt, innovate, and find value in SaaS apps and cloud environments, organizations are letting standards and governance slip. Security teams are sometimes brought late to the table and are unable to apply their expertise to ensure the company’s product goals, innovations, and releases are secure. When companies consult security teams after development is complete, their traditional conservative perspective can be overly restrictive.

From a bird’s-eye view, this position can be an obstacle to company and product innovation. One way out of this impasse is for security teams to conduct their security evaluations during development instead of being queried after the fact. In addition, observability can help security teams address their concerns about errors in configurations, access control lists, and the location of the data.

The visibility that observability provides enables security pros to see the exact data being interacted with and determine their cloud configuration recommendation during the development phase. By working alongside each other with the right tools, all teams can collaborate to meet the requirements of new initiatives. Overall, observability helps security teams become enablers rather than obstructors.

Can you share examples of unexpected or less obvious misconfigurations that tend to be overlooked, perhaps due to complexity or gaps in tooling?

Misconfigurations can sometimes be the result of lack of awareness or knowledge. Any employees who introduce new SaaS applications or other third-party tools into a company can now be considered system administrators, even if they have no IT or technical experience. These employees often take on the role of configuring new user accounts, assigning roles, and making choices about data encryption or retention, unaware that a company may have standards or policies to follow. This is especially true if they sign up without going through standard finance and vendor intake processes and simply use a credit card or free service. As a result, they may open up a backdoor to corporate data or the business.

Access control is often cited as a key area of concern. What best practices do you recommend for implementing least privilege and avoiding overly permissive settings in the cloud?

The amount of access given to other systems creates more touchpoints that require corresponding due diligence. Put simply, permissiveness enables more opportunities for things to go wrong. At a minimum, organizations should implement multi-factor authentication (MFA) and single sign-on (SSO).

Just those two controls alone can thwart a great number of common credential attacks. SSO also simplifies the ability for user onboarding and offboarding. At best, organizations should centralize as much of the life cycle of access management and control as possible to an IT or Enterprise Identity and Access Management (EIAM) team.

Can you explain the concept of “blast radius” in the context of a cloud misconfiguration and how teams can design systems to contain or minimize it?

Cloud misconfiguration can leave enterprises vulnerable to more damage from an incident. If an infrastructure cloud environment is configured as a single flat network with access to everything, the impact of the incident can become unnecessarily amplified. Instead, a segmented cloud environment configuration can contain the “blast” (i.e., incident) much better. Similarly, poor authentication practices such as password reuse or not changing default passwords after application installs can also increase the blast radius by allowing an attack to spread across applications and systems.

What’s your advice for security teams struggling to keep up with the changes in cloud infrastructure? Where should they prioritize their efforts?

Security teams must do the work of taking a seat at the table well in advance of organizational efforts to roll out cloud infrastructure. This means becoming proficient in the technologies and approaching the business with solutions to common challenges.

Frequently, security teams will default to overly restrictive policies, which can negatively impact internal business processes, add an undue burden of friction, or cause delays to launch plans. Security teams should develop an understanding of key cloud technology paradigms such as DevSecOps integrations, infrastructure as code, and compliance as code to help IT and engineering teams develop methods to build and manage cloud infrastructure and make it easy to do the right, and more secure, thing. This approach enables security teams to help organizations avoid common pitfalls such as the exposure of misconfigured S3 storage buckets or API interfaces intended for internal backend services.

Further, observability provides a precise understanding of how services and data need to be handled from a security perspective, allowing security teams to provide proactive collaboration across the enterprise. In addition, observability’s real-time monitoring and automation capabilities can help proactively detect and mitigate risks in cloud configurations.