Does Cloud Automation Create New Vulnerabilities for the Enterprise?
June 6, 2017 | Security and Risk | Chris Smith
While cloud automation can help organizations become significantly more agile and improve security, it can also expand the enterprise attack surface, creating new vulnerabilities and risks in what becomes an increasingly dynamic and complex environment. It’s important to understand and address the vulnerabilities that can come with automation.
Organizations have many different reasons and roadmaps for their migration to the cloud. While some have an “all-in” strategy, most migrate to the cloud over time, moving individual business activities and applications as needed. Automation needs vary based on the enterprises cloud strategy and drivers.
Common Drivers for Cloud Adoption
Three of the most common drivers for cloud adoption include cost savings and efficiency, access to on-demand computing, and increased agility.
To achieve cost savings, some enterprises take a “forklift approach” and simply move their apps from their on-premises data center to the cloud – and shut their data centers. In this scenario the enterprise does not take full advantage of the dynamic capabilities offered by cloud computing, and consequently, requires only minimal automation. To achieve much greater efficiency, organizations need to re-architect and replace applications, rather than simply move them. This agility requires a high level of automation, which is noted in the third scenario below.
It’s increasingly common that enterprises want access to on-demand computing. This provides rapid access to significant computing capacity, such as for big data and analytics. To achieve this, application instances are created instantly to meet the demands of the business. It’s automation that makes this possible, assigning and securing the required credentials and privileges when each new instance is created.
The third scenario is all about agility — enabling the enterprise to more rapidly develop and deploy applications to better support customers and evolving market needs. As development practices such as Continuous Integration, Continuous Delivery (CI/CD) pipelines, and DevOps are adopted, developers also leverage orchestration and automation tools to speed software development and deployment. Enterprises with robust CI/CD pipelines may do multiple and potentially dozens of code deployments each day using automated processes and tools. Clearly, automation is critical in this scenario.
Potential Vulnerabilities Expand With Automation
Across each of these scenarios, the level of automation required increases. It’s important to understand some of the core vulnerabilities and risks that need to be addressed to protect an organization’s cloud environment.
Regardless of the primary driver for cloud adoption or the level of automation, every organization needs to protect privileged accounts and credentials and access rights for their cloud management consoles. The consoles are very powerful, and they are used by both humans and automated scripts. Consequently, the console is vulnerable to phishing attacks and is a common entry point for attackers. Additionally, all organizations will need to secure the privileged credentials used to manage the enterprise’s cloud-based infrastructure, including the operating system, database and other resources, as well as any embedded static application credentials.
With on-demand computing, there are additional vulnerabilities to protect. These include, for example, any dynamically assigned application credentials, API keys, and cloud secrets as well as the privileged credentials established when new application instances are created with auto scaling or other orchestration tools. When each new instance is created with auto scaling, it will need privileges to access other applications and resources, and this access must be automatically secured.
In the market agility scenario, not only must the vulnerabilities and risks described in the earlier examples be protected, but also the privileged credentials and secrets associated with the CI/CD pipeline, including all the administrative consoles for orchestration and other tools. And the trust relationships must be fully automated by automatically storing, retrieving and managing secrets and credentials across the pipeline.
In summary, as the level of automation increases, the vulnerabilities and attack surface also increases. Consequently it is important that organizations are aware of and defend against the vulnerabilities that can come with automation.
At CyberArk we’re focused on solutions to secure the privileged accounts and credentials required to manage the enterprise’s cloud and automation environments. For example, we’ve integrated CyberArk with orchestration and other tools to support automated trust relationships, and we’re focused on meeting the needs of development teams and DevOps with CyberArk Conjur.
No matter where you are in your enterprise’s cloud journey or the level of automation you are using, you will need to implement robust privileged account security policies to protect your cloud assets. For additional information visit cyberarkvx.staging.wpengine.com/cloud.