Page 122 - Cyber Defense eMagazine for July 2020
P. 122
For DivvyCloud and plenty of other organizations, real-time communications platforms like Slack and
Teams have been invaluable for navigating the work-from-home experience, and we can expect to see
a heightened demand for these tools even once this pandemic subsides. Additionally, organizations will
need to focus on identity and access management in their cloud infrastructure. This will ensure
employees are able to securely access the tools and resources they need to do their jobs while thwarting
fraudulent unauthorized attempts from bad actors.”
Choosing between security and innovation in the cloud will continue to be a common, avoidable
pitfall:
“Nearly 50% of developers and engineers bypass cloud security and compliance policies and just 58%
of organizations have clear guidelines for developers building applications in the public cloud. Developers
work hard and fast to deploy new features and services to meet market demands, but without the proper
guardrails in place, this can lead to misconfigured cloud instances, severe security flaws, and more.
In fact, in early April, it became publicly known that Zoom’s engineers bypassed common security
features, such as not requiring users to add unique file names before saving their videos. While this
allowed Zoom to support its exponential jump in demand (from 10 million daily users in December 2019
to over 200 million in March 2020), it also resulted in errors such as thousands of users’ videos being
made publicly accessible on unprotected Amazon buckets. This news added to a string of other privacy
concerns around Zoom. DevOps and security must be completely in sync to avoid similar pitfalls.
Engineers will begin to tackle cloud security flaws earlier in the build pipeline:
“Security and compliance practices have been mainly reactive, with teams scrambling to catch
security/compliance flaws after cloud resources are built. But as anyone in that position can attest, there’s
no putting the genie back in the lamp. Instead, engineers will need to focus on how “to-be-built”
infrastructure or changes will affect the security and compliance of their cloud footprint while they are still
in the continuous integration/continuous deployment pipeline.
For example, Zoom’s CEO pledged to shift the company’s engineering resources to proactively address
issues with measures such as a third-party review of changes before they’re made, white box pen tests
to further identify and address issues, and upgrading Zoom’s encryption scheme to AES 256-bit GCM
encryption. Other organizations will leverage capabilities such as Infrastructure as Code security to build
a virtual data model of what would have been built and either affirm or deny the compliance of proposed
changes while also warning engineers of potential violations, thus giving them the opportunity to learn
from the experience and incorporate learnings into future projects.”
IAM is (and will continue to be) the primary perimeter in cloud security:
“All users, apps, services, and systems in the cloud have an identity, and as organizations shifted to
remote styles of work, they quickly learned that these relationships are complex. Understanding the full
Cyber Defense eMagazine –July 2020 Edition 122
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.