The recent Capital One data hack and breach that compromised sensitive information for 106 million people, including 140,000 Social Security numbers and 80,000 bank account numbers, was executed by a single hacker who exploited a well-known vulnerability in cloud-based SaaS applications – misconfigured web application firewalls (WAFs).
According to the FBI criminal complaint, the hacker made a “number of connections or attempted connections to Capital One’s server from TOR exit nodes.” In other words, they started knocking on a bunch of virtual doors until they found one that was unlocked.
Once they were inside the firewall, the entire hack took just three commands. The first obtained security credentials to access Capital One’s folders, the second listed the contents of the folders, the third extracted the data. But the key vulnerability was the initial unlocked door.
Unfortunately, as enterprises shift to cloud and SaaS technologies, misconfigured cloud services and applications are leaving too many unlocked doors. In a recent 16 Minutes podcast, I covered the importance of enterprises shifting from transitive trust to zero trust security. In this post, I want to discuss how security startups can help enterprises securely transition to cloud and SaaS technologies by providing a single control plane to manage cloud configurations.
With on-premise software, security breaches were typically the result of stolen security credentials or missing software patches. In the 2017 Equifax hack, for instance, hackers accessed the network because a software patch hadn’t been applied. Today, cloud-based software has increasingly automated software patching, making it less of a vulnerability.
The Capital One breach highlights the new security concern for corporations: cloud-based software that is configured with incorrect or too broad permissions. For Capital One, network access combined with an over-privileged system account enabled a Server Side Request Forgery hack that tricked the storage services into giving the hacker all of the contents stored within a bucket – a file folder that is the most basic container for storing objects and their metadata in the cloud.
In the era of cloud and SaaS, enterprise security starts with getting and maintaining the right permissions and settings across a heterogeneous landscape of software. While cloud and SaaS vendors strive to make individual offerings more secure, the modern enterprise is a multi-cloud environment with a growing number of SaaS tools and applications.
Today, enterprises manage cloud configurations one tool or application at a time. For startups, this is an opportunity to provide security services across cloud vendors.
Most cloud security startups, especially CASBs (cloud access security brokers), tend to follow a similar pattern. They talk to customers and identify a single security feature or collection of features that a single cloud provider does not yet offer. They go deep on AWS or Azure, adding features, such as specific security controls, and selling those to customers. But if a startup can provide value on feature X for a specific cloud vendor and customers want that feature, sooner or later the cloud vendor will provide it natively.
Cloud vendors are incentivized to add security features and controls to their proprietary platform. AWS, for instance, has a feature to tell someone if an S3 bucket is available to the public, but it does not have a console to manage security of Google Cloud or Azure. As a result, enterprises can manage security within cloud platforms, but they do not have a single tool to manage security features across cloud providers to spot configuration issues – and they are not incentivized to provide one.
Thus, instead of going deep on a single cloud vendor, the better insertion point for a security startup is to focus across the landscape and provide enterprises with a single control plane to detect vulnerabilities and consistently manage configurations for all of its cloud infrastructure.
While continuous monitoring and assessment of penetration are also important for enterprise security, broad configuration analysis is a notable gap in the security market. Identifying where a company needs to adjust security settings in a single console provides one point to tighten security across the entire cloud surface. And once an enterprise has the ability to corral its cloud infrastructure and maintain a consistent level of configuration, then you can push up the stack and look at compliance.
The burden of configuring cloud-based tools properly falls to the customers, not the vendors – in fact, Gartner goes so far as to predict that 99% of all cloud security failures will be the customer’s fault by 2023. It’s a market problem that is ripe for a solution because:
While enterprises want to be cloud forward, breaches, like Capital One, slow the move to the cloud. Cloud is a variable infrastructure cost already, add the risk of security breaches, and we already see signs that cloud adoption is slowing in financial services and critical infrastructure. The Pentagon is revisiting its decision to pursue JEDI, a $10 billion cloud contract with AWS, and the Federal Reserve is reviewing policies for storing financial data in the cloud.
SaaS and cloud mean enterprises can provision infrastructure on the fly and meet the new demands for customer service and digital experiences. But as long as these technologies create security headaches, our ability to adopt this new enterprise paradigm will be limited to our ability to keep it secure. Now taking pitches for cloud configuration done right.