When you look at breach statistics in today’s cloud-dominated IT world, you can see several examples where a small error made by the DevOps or CloudOps team has led to a tremendous impact on businesses’ reputations or, in some cases, their existence. Misconfigured AWS S3 buckets, poor password management on publicly exposed databases and secrets inadvertently exposed by developers on GitHub are some examples of these mishaps. It is not uncommon to see misconfigurations and unpatched vulnerabilities pave the way for attackers.
For example, during one of IBM X- Force’s AWS cloud penetration testing engagements, researchers exploited a server-side request forgery vulnerability in a web application under development, which allowed them to access the EC2 instance metadata service and steal the access keys used by the webserver EC2 instance. The CloudOps team had inadvertently provided full access to an S3 bucket via this instance profile, effectively allowing researchers full access to the sensitive information stored in that bucket.
Since the cloud’s inception, solutions offered by cloud service providers (CSPs) have enabled businesses to innovate faster and minimize the time it takes to develop and deploy production applications, but this process is associated with an additional element of security risk. CSPs may be responsible for securing their cloud platforms, but businesses are responsible for securing the data in those platforms, which can be a challenging task.
The Struggles of Cloud Adoption
When cloud adoption first began, many companies started their cloud journey by using the Infrastructure-as-a-Service offerings from CSPs, the upside being that they were happy with the level of control they had over the infrastructure. With time, adopters began realizing that maintaining their cloud infrastructure was getting too complex and time-consuming, which led to a shift to Platform-as-a-Service (PaaS) of ..
Support the originator by clicking the read the rest link below.
