The image of a cockpit always struck me as overwhelming. So many knobs and whistles of different shapes and sizes. Do pilots really need all those options at arm’s length? On every flight? And how do they verify that they’re all in the right position before takeoff?
Today’s enterprises have tens of millions of these — or, rather, their digital equivalent: configuration. The cloud and software as a service (SaaS) are now ubiquitous, and they brought with them countless choices to make. Unlike aircraft, we do not have standards and procedures to ensure each and every toggle is switched to the right position. It is no wonder that misconfiguration continues to be the most dominant reason for cloud security issues.
Opaque Configurations
Commercial aircraft have thorough manuals that detail the function and implications of each and every toggle in that cockpit. For cloud and SaaS, you’ll typically find a one-line explanation hidden on an obscure documentation page. If you’re lucky, that short snippet is meaningful and still up to date. In most cases, however, you aren’t that lucky — the docs were written three years ago and the service is now widely different. Entire companies are built on the premise of having a team of experts to figure out what these toggles do. They reverse-engineer, poke around, and brute-force their way to capture the meaning of each configuration.
In the SaaS and platform-as-a-service (PaaS) worlds, things become even worse. You never really have a full understanding of how things are built under the hood, so building an intuition about which knob does what becomes a guessing game.
Distributed Choice
A cockpit is managed by the captain and first officer, two highly trained professionals with well-defined responsibilities. They are sometimes backed up by the flight engineer, a well-oiled human machine who triple-checks that everything is in order. For cloud and SaaS, it’s the Wild West. People across the enterprise make configuration choices every day — or, worse, fail to make them and leave an insecure default on.
It’s not just your cloud developers and SaaS admins, even though they have received most of the attention. Business users are making those choices, too. They leverage low-code/no-code to build and customize their business processes, making configuration choices by the dozens as they go.
Security teams have this problem, too. Can you really say your security stack is 100% optimized and correctly configured? How many incidents could have been prevented by a technology deployed in audit mode rather than enforcement mode?
Constant Change
Imagine what would happen if the cockpit changed its toggles — their functionality, their implications, or just their appearance — every quarter. Now imagine it changes multiple times a day.
Continuous delivery is the holy grail of enterprise cloud and SaaS companies hoping to move fast. We have given permission to vendors to change their offerings under the hood as much and as fast as they can. This is a good thing, mostly, because this is how excellent software gets built. However, applying that same principle to the user interface means configuration can change at an alarming rate. The meaning of an existing configuration could change as well, making it much more difficult to understand what’s going on.
Even if configuration options are the same, the enterprise environment is ever-evolving. SaaS and cloud resources are connected in different ways. They hold different data subject to different sets of regulations. Risk decisions adapt as the threat landscape changes.
It’s Time for Standards
Public pressure in recent years has forced big vendors to change their insecure default, which helps put us all in a better position. S3 buckets are now shut off from the Internet by default. So are Copilot bots built with Microsoft’s Copilot Studio.
Some cloud and SaaS platforms have started publishing recommended configurations for a secure deployment. CISA and other organizations have put out excellent recommendations to follow.
These are, however, all dispersed efforts. Working together through industry standards might be what is needed to finally make a real impact in reducing the ever-growing risk of misconfiguration.
This post was originally published on the 3rd party site mentioned in the title of this this site