This past week I read a pretty interesting article, posted on SiliconANGLE, about vulnerabilities found in cloud applications. It had the unfortunate title of: Report finds 34M vulnerabilities across AWS, Google Cloud and Azure
This was compounded by the lead off sentence, which is as follows:
A new report from Unit 42, the threat intelligence team at Palo Alto Networks Inc. has uncovered 34 million vulnerabilities across leading cloud service providers, highlighting that organizations are struggling with securing cloud installations.
The Palo Alto report upon which this article is based, and which you can read here, had a lead sentence that was much more accurate — far less misleading.
In the first half of 2019, there were 21 headline-grabbing incidents involving public cloud platforms. Unfortunately, consumers of IaaS and PaaS cloud services continue to struggle with getting the basics of security right.Emphasis Supplied…
I have no way of determining if the title posted on SiliconANGLE was intentionally misleading, or if they simply missed the point of the Palo Alto report, but we live in an age where headlines are designed to capture interested — no matter what the cost.
The point of the report was this: The customers of the major cloud services (Amazon AWS, Microsoft Azure and Google Cloud) are running a whole lot of vulnerable infrastructure and applications. This is due to organizations — new and old — not properly managing the life cycle on their own applications, and also not managing patches and configurations for operating systems and 3rd party applications and virtual devices.
And it’s not going to get better before it gets much worse. We (as a society) are still more interested in features, functionality and revenue, than we are in managing risk or protecting privacy and data. Sadly, the relationship between security and revenue preservation is often lost in shuffle. It is certainly possible to acquire revenue by paying little (or cursory) attention to security, but that’s not a successfully formula for keeping your revenue.
Many fear that the cloud is unsafe. We don’t see many major breaches occurring to the cloud providers, though. We do see breaches occurring to cloud users and self-hosted users. That should tell us something.
The issue is with the cloud customers, not the cloud providers.
And certainly, while the cloud providers are just as interested as anyone else in providing new features and new reasons to get more money, I am not about to put the onus on them for making sure their customers are secure. They offer enough tools and guidance as it pertains to security.
It is the customers who don’t seem to understand that they have a major responsibility for security no matter where they are hosting their data. Being in the cloud just makes it easier for “bad actors” to find them. But there are plenty of organizations being breached while not using the public cloud. At the end of the day, it is the responsibility of the cloud customer to make sure their infrastructure, applications and data are secure.
Remember: No matter how much security your cloud provider implements for itself or offers its customers, the level of security you and your applications or infrastructure experience is directly tied to the following:
- How much of your cloud provider’s security offerings you implement
- How well you manage your own configurations
- How well you perform your own patch management
- How well you implement vulnerability management
- How well you regulate your change management and life cycle management processes
- How intrinsic your security processes are to your operational activities
In short, how secure you are, depends on how well you do security.
So, how many of those 34 million total vulnerabilities belong to you?