Security Risks and Automated Solutions
March 8, 2016 | DevOps | joanna mastrocola
The Cloud Security Alliance recently released the Treacherous 12, the top cloud computing threats of 2016. Their goal in creating this piece is to help enterprises mitigate risk and come up with security solutions that defend against the most pressing security issues of the coming months. Although security experts make warning against these risks, few companies take actual steps to avoid them, and security breaches occur as a result. Therefore, it is not only important to craft a security plan, but also to follow it, keeping the issues of automation, access management, and secrets rotation in mind.
A key theme throughout the entire article is the need for automation. They mention an importance being placed on proper identity, credential, and access management. These are practices that all organizations must be particularly mindful of, as data breaches can arise from a lack of scalable access management and lack of key and secret rotation.
As your enterprise grows, new people will be entering and exiting your infrastructure. As this happens people will gain and lose access to key secrets. It is imperative that you have systems in place to make provisioning and deprovisioning access to secrets easy and scalable. Data breaches often occur when security solutions are not built to scale. The solution you use when you have only ten employees is often very different than the solution you will need when you hit ten thousand. It is relatively easy to know who has access to what when you only have a handful of users, however, this difficulty of this task dramatically increases as teams and infrastructures expand.
An automated security solution that scales is imperative to your security strategy. This way, you don’t need to worry about altering solutions as your company grows, and you can concentrate on innovation and expansion, rather than administrative security tasks. It is crucial to have a definitive understanding of who has access to what, when, or you risk the security of your entire organization. As new users enter and exit your infrastructure, former employees must no longer have access to sensitive data and current employees should only have access to the secrets they need. Automated credential management is necessary in confirming that malicious actors don’t gain unauthorized access to secrets that can damage the organization.
Rotating secrets is crucial to avoiding a cybersecurity breach. Be sure to set policies that dictate when secrets must be rotated, and passwords changed, so that this sensitive data is not vulnerable. Having automated secrets rotation guarantees that employees aren’t bogged down with constantly monitoring these changes, and there are no internal slip-ups when it comes to making sure secrets remain secure.
The piece also cautions enterprises that are looking at new cloud providers and solutions to have a complete understanding of their security protocols, and their daily processes, to make sure these procedures fit with your security goals and regulations. Although additional tools are often necessary, it is crucial to understand the way they work and the systems they use, safeguarding your infrastructure from new vulnerabilities.
The article states, “Credentials and cryptographic keys must not be embedded in source code or distributed in public facing repositories such as GitHub, because there is a significant chance of discovery and misuse.” It then delivers an example of when hackers found cloud service provider credentials found in a GitHub project. These credentials were then taken misused within a few days. Although there are plenty of examples of security risks coming from a mishandling of secrets, these mistakes are still made, and real data breaches occur because of them.