Why Facebook Outage and Twitch Breach Matter to Business Leaders

Josh Stella, Fugue CEO, Explains to Business and Security Leaders: Is Your Company at Risk of Suffering a Similar Fate? What Should You Do About It?

Download

Loading media player...

In this video, Fugue CEO Josh Stella explains to business and security leaders how companies need to move from a defensive to a preventive posture to secure their cloud infrastructure.

FREDERICK, Md.--()--In brief video explainers and commentary, Josh Stella, co-founder and CEO of Fugue, a cloud security SaaS company, talks to business and security leaders about why outages and breaches like the recent Facebook and Twitch incidents keep happening, how cloud configuration is the new attack surface, and how companies need to move from a defensive to a preventive posture to secure their cloud infrastructure.

This month, Facebook and Twitch both suffered serious damage at their own hands, and every executive needs to understand what happened and how these types of incidents are preventable.

  • At Facebook, a network configuration change took the service down for hours — and WhatsApp and Instagram along with it — resulting in tens of millions in lost revenue and millions of users unable to access these services.
  • At Twitch, an interactive live streaming service owned by Amazon, a server misconfiguration gave a hacker access to a trove of sensitive data, including information on users and source code for yet-to-be-released applications, which the hacker posted on the internet.
  • In the past year alone, 36% of companies suffered a serious cloud security leak or breach due to cloud misconfiguration, according to The State of Cloud Security 2021 Report.

We’ve seen enterprise cloud customers fall victim to their own preventable configuration mistakes many times before. What’s notable here is that Facebook and Twitch are essentially customers of their own cloud platforms. When you consider how much complexity the cloud providers have pushed to their customers, these incidents keep happening — not because people are bad at cloud security but because it’s really hard to get good at it. Let’s explore that.

Why Cloud Risk Is Configuration Risk

The cloud attack surface is configuration, not the network. Configuration is essentially how you’ve designed and built your infrastructure. The word “configuration” can feel like a small detail, but in the cloud, configuration is a big deal. A mistake here can create vulnerabilities and break applications. A single misconfiguration can have a huge blast radius in terms of system downtime or a data breach — and the resulting loss of revenue and customer trust.

Take a car, for example. A car has an engine, a transmission, wheels, etc. All of these components have configurations, some of which are related to safety and regulated by law. People and machines inspected the configurations of the car before it rolled off the line, which the owner may have changed over time. A safety inspector flags configuration violations because bad configuration can cause a breakdown or an accident.

In terms of scale and complexity, an enterprise cloud environment is more like an aircraft carrier. It can contain hundreds of thousands of resources, each involving dozens of configurations. Cloud engineering teams are making dozens — or hundreds — of configuration changes every day. Back to the car analogy, this is like swapping in a new transmission while driving down the highway at 70 mph — without slowing down.

Clouds Change Constantly, and Every Change Brings Risk

The cloud is the most secure computing platform humans have ever produced — if you build it correctly and ensure changes don’t introduce vulnerabilities. That’s the hard part.

The constant state of cloud change plays such a crucial role for the modern enterprise’s success: speed and agility. Companies operating in the cloud generally realize a faster time to market than those operating in a data center. But all that change brings great risk. Humans are making configuration decisions every day and then changing them the next. How informed are those decisions when it comes to security?

Unfortunately, the answer is “not enough.” This is not meant to disparage software engineers. We ask a lot from them, and they produce great things for us. But humans are terrible at keeping thousands of data points — and thousands more rules — in our heads. No human can possess full knowledge of a cloud-based system and the security implications each change will bring. But full knowledge of your cloud environment — and denying your adversaries that knowledge — is essential to keeping it secure.

As cloud environments grow bigger and more complex, this problem will only get worse.

21st Century Armchair Hacking

The good news is that cloud security teams are becoming more aware of this challenge. The bad news is that we’re way behind the hackers, who have gotten very efficient at acquiring the knowledge they need to exploit cloud systems. They use automation to scan the internet looking for cloud misconfigurations they can use to access an environment. Once in, they leverage additional mistakes to discover resources, move laterally, and extract data without detection.

Twitch didn’t become aware of its breach until its data started showing up on the internet, and a single server misconfiguration enabled the hacker to breach data well beyond the domain of that one server. The same thing happened to Capital One a few years ago, and they’re widely recognized as being among the best at cloud security.

What Business and Security Leaders Can Do Today

Every business and security leader operating in the cloud needs to be paying attention and asking questions. You can be far more secure in the cloud than in a data center and certainly more competitive. But just because you can be more secure in the cloud doesn’t mean you are today. It’s safe to assume you aren’t safe.

Here are five essential steps:

  • Know the State of Your Cloud Environment
    You need to understand what your current cloud security posture is. Ask your cloud security team for a report on the state of your cloud environment as it is today — not six months ago or whenever your last audit occurred. This report should give you a complete picture of how infrastructure is configured and a list of vulnerabilities by severity. If they can’t provide this to you by noon, they don’t possess this knowledge. That should scare you, and acquiring this knowledge must be your team’s first priority. Everything in your cloud environment is knowable, so get your team on it.
  • Think Preventively About Cloud Security
    Once you know where you stand, it’s time to start thinking differently about cloud security. Your security team might still be focused on things like intrusion detection and network monitoring to catch attackers, but that’s not how cloud security works. Once a hacker has gained access to your environment, it’s too late. Cloud breaches happen in minutes, and traditional security tools offer little or no help. Cloud security is about preventing misconfiguration vulnerabilities from happening in the first place.
  • Apply Policy as Code as a Force Multiplier
    The only way to prevent cloud misconfiguration is to bake security automation into every aspect of cloud operations. Doing this requires Policy as Code, which enables your team to express security and compliance rules in a programming language that an application can use to check the correctness of configurations. Instead of humans inconsistently reviewing things and enforcing rules, Policy as Code empowers all cloud stakeholders to operate securely without any ambiguity or disagreement on what the rules are and how they should be applied.
  • Align Cloud Stakeholders
    In this model, your security team becomes a tool vendor to your application developers and cloud engineers. Engineers developing cloud systems automatically check their work against policy and make corrections quickly and easily, before they build anything. Automated guardrails prevent the deployment of dangerous cloud vulnerabilities. And security teams continuously monitor your environment to catch any misconfigurations that slip through — before the bad guys can find them.
  • Shift Culture to Security-Everywhere
    Transforming how your organization does cloud security will require some new hiring, training, processes and changes to your culture. These aren’t easy things to do, but until you do them, you will remain at great risk. By focusing on automation and Policy as Code, there’s no need to hire a virtual army of engineers, which is good news considering the bidding wars currently being waged over them. Automation and Policy as Code help your security team invest in more challenging problem areas, and your application teams deliver secure innovation to the market faster.

In a four-minute video, www.youtube.com/watch?v=naFW_Ejiqgk, Josh Stella explains in lay terms: an overview of the Facebook outage and Twitch breach, what is cloud configuration, why do misconfigurations keep happening, what business leaders can do to assess their risk, and how companies can build security into their cloud to prevent loss of revenue and trust?

About Josh Stella

Josh Stella, co-founder and CEO of Fugue, is a technical authority on cloud security. Bringing 25 years of expertise as a chief technology officer, principal solutions architect at Amazon Web Services, and advisor to intelligence agencies, Josh founded Fugue in 2013 to help companies proactively change the security paradigm and get ahead of the hackers. He wrote the first book on “Immutable Infrastructure,” holds numerous cloud security technology patents, and hosts complimentary Cloud Security Masterclasses. Connect with Josh on LinkedIn and via Fugue at www.fugue.co.

About Fugue

Fugue is a cloud security SaaS company enabling regulated companies such as AT&T, Red Ventures, and SAP NS2 to ensure continuous cloud security and earn the confidence and trust of customers, business leaders, and regulators. The Fugue Platform secures the entire cloud development life cycle — from infrastructure as code through the runtime — with the same platform and rules across AWS, Azure, and Google Cloud. Fugue pioneered the use of Policy as Code for cloud security automation to empower engineering and security teams to move faster and do more with fewer resources. The company stands by a unique Fugue Guarantee that gives enterprises a simplified, actionable cloud compliance report in 15 minutes. For more information, connect with Fugue at www.fugue.co, GitHub, LinkedIn and Twitter.

All brand names and product names are trademarks or registered trademarks of their respective companies.

Tags: Fugue, cloud security, SaaS, Facebook, Twitch, policy as code, cloud, infrastructure as code, IaC, Josh Stella, open source, cloud security automation, network configuration, cloud configuration, cloud misconfiguration

Contacts

Dottie O’Rourke
TECHMarket Communications
(650) 344-1260
Fugue@techmarket.com

Release Summary

Josh Stella, Fugue CEO, explains what business leaders can do to assess their risk and secure their cloud infrastructure.

Social Media Profiles

Contacts

Dottie O’Rourke
TECHMarket Communications
(650) 344-1260
Fugue@techmarket.com