Gartner made an interesting prediction just a few years ago: “Through 2025, 99% of cloud security failures will be the customer’s fault.” Practically every single cloud security failure can be fairly described as a misconfiguration of one kind or another. The 2025 end is kind of arbitrary, really; the prediction is likely to be true until the end of time.
In my previous article, I discussed targeting these misconfigurations at their root. Now, I’ll examine how the cloud has changed our sense of control and explore another important type of configuration-related risk to mitigate.
Greater abstraction, less control
Clouds aren’t the cheapest technology or the easiest to manage. However, they are certainly a lot more agile than provisioning stuff on-premises and waiting months for all of the hardware to be deployed and the software to get installed.
Clouds are essentially increasing layers of abstraction. When everything was on-premises, organizations could control the entirety of IT. When infrastructure moved to the cloud, organizations gave up hands-on control of the lower levels: the building, the physical network, the racks, and all the physical servers. The actual controls now start just above the hypervisor: virtual machines, middleware, applications, data and users.
When organizations move out by one more degree of abstraction to platform-as-a-service (PaaS), they’re giving up control of the operating system. Then, if they go all the way to the highest level of abstraction — i.e., software-as-a-service (SaaS) — they have also given up control of the application. The only things left in an organization’s control are protecting the data itself and defining how people access it.
One might assume that the cloud would be easier just because there is less to control, but the reality has turned out to be very different.
Public cloud access control
In general, getting your access control model correct even in only one of the public clou