Security teams need to understand that cloud infrastructure radically differs from data center infrastructure. The vulnerabilities, attack patterns, and security solutions are all different.

The cloud isn’t just a remote data center in the sky. Developers and DevOps engineers build their cloud infrastructure when they need to and can make (and change) infrastructure decisions on-the-fly, including security-critical configurations. Each change brings new risk of a misconfiguration that leaves cloud environments and data open to attack, and make no mistake about it — the bad guys will find it.

This represents a sea change in the security team’s role and how they go about securing the cloud. Attackers don’t traverse traditional networks that security teams can monitor with familiar solutions, such as intrusion detection and network security tools.

When developers build applications in the cloud, they’re also building the infrastructure for their applications, as opposed to waiting on IT teams to get them the physical infrastructure they need. That process gets done now with code, meaning the basic mechanism of communication in cloud computing is the application programming interface (API) — the software “middleman” that let different applications interact. This eliminates a fixed IT architecture requirement in a centralized data center.

It also means the traditional data center security model — erecting an outward-facing barrier around the network perimeter to block incoming attacks — does not apply in the cloud.

In an entirely software-defined world, the security team’s role becomes that of the domain experts who impart knowledge to the people building applications — the developers — to ensure they’re working in a secure environment. This dissemination of knowledge gets done with policy as code (PaC), which enables developers to express security and compliance rules in a programming language that an application uses to check the correctness of configurations.

PaC checks other code and running environments for unwanted conditions for anomalies. It empowers all cloud stakeholders to operate securely without ambiguity or disagreement on the rules and how to apply them at both ends of the software development life cycle (SDLC).

The security team must also shift its mentality from trying to detect intrusions as they occur. That’s just not feasible in the cloud. By the time they spot any suspicious activity, the hackers will have taken what they want and slipped away. Prevention has become the only hope in cloud security because the hacks are too fast and difficult to notice in real time.

Here are 10 questions that every cloud security team must answer to secure their cloud environment and data effectively:

  • How well do we understand our cloud environment and use cases? Cloud security teams can’t do their job if they don’t work closely with developers and DevOps teams to understand the architecture of their cloud environment, the applications the infrastructure supports, the data involved, and the SDLC for the infrastructure.
  • How out of compliance is our environment? This has become a fundamental question, but an important one. Determining the answer requires regularly reviewing the organization’s security policies and regulatory compliance standards. Most enterprise environments are short of compliance, so build a prioritized remediation plan that lays out the specific steps and timeframe for bringing the cloud environment into compliance.
  • How many misconfigurations do we see? The answer will depend on the size and complexity of the cloud environment, but it matters with regard to risk and the engineering resources required to manage it. Enterprise scale cloud environments can experience dozens or hundreds of misconfiguration deployments every day. Put processes in place to quickly identify them and prioritize by severity, and then tie these issues back to IaC so the team can streamline remediations.
  • Are we decreasing the rate of misconfigurations? Cloud security can become an endless game of whack-a-mole unless teams take steps to prevent misconfigurations earlier in the SDLC, including continuous integration and continuous delivery (CI/CD) guardrails and IaC checks. Knowing which vulnerabilities were discovered and remediated stands as just one piece of the holistic security puzzle. The team will also want to know what proactive steps are being taken right now to reduce the frequency of misconfigurations deployed by checking IaC in development and in CI/CD pipelines.
  • How could hackers attack the environment? Every major cloud breach involves attackers compromising the cloud API control plane for discovery, movement and extraction. Security teams must understand how these attacks happen and protect against them with secure architecture design. Think like a hacker to understand the potential blast radius of any initial penetration into your environment.
  • Are we properly rotating cloud API keys? The API control plane functions as the collection of APIs used to configure and operate the cloud. Attackers covet API keys they can use to exploit cloud environments, and these are often left in many places, including source code and on disks. Rotating API keys regularly has become one of the quickest ways to help guard against this risk, but coordinate closely with application teams when making changes to key rotation.
  • Can we respond to a zero-day event? Attackers don’t adhere to the arbitrary boundaries we tend to draw around parts of our system. They move freely between application and infrastructure layers to get what they’re after. Security teams need a clear line of sight up and down the tech stack to get full context of their security posture and immediately identify the blast radius risk of any vulnerability when it surfaces.
  • How are the company’s cloud security policies expressed? If security policies live in rulebooks and checklists, the company then demands that its team members memorize rules. This increases the risk of human error. Express all policies in PaC to eliminate any ambiguity and differences in interpretation and automating enforcement.
  • Are we holding other teams back? Security has become the No. 1 rate-limiting factor for how fast teams can go in the cloud and the success of digital transformation efforts. It’s not enough to ensure everyone’s operating safely in the cloud — security teams need to help the organization move faster. Regularly measuring developer throughput will help identify delays because of manual security review and approval processes that stunt developer productivity levels.
  • Do we have what we need to succeed? Effective cloud security requires the right tools, the right skills (particularly cloud engineering and architect skills), and an all-hands-on-deck approach across teams and cost centers, including the C-suite. The team can only succeed with senior executives supporting developers and security with adequate investments of both budget and time.

Companies need to set up the work of securing a company’s cloud infrastructure as a constant, never-ending process, like an ongoing fitness routine. Implement a policy requiring consistent reporting about the organization’s cloud security posture. Security teams will find this easier to do once they’ve adequately answered and addressed these 10 questions.

Josh Stella, chief architect, Snyk