With Great Power Comes Great Responsibility

AWS is focused on providing a flexible platform that enables customers to do whatever they like. This emphasis on flexibility has enabled customers to build incredible business value on top of the cloud. They can build cutting-edge cloud apps that can automatically scale to meet demand with a fraction of the investment.

The AWS Shared Responsibility Model means AWS is responsible for the security of the cloud, and customers are responsible for their security in the cloud. AWS will secure the building that holds the servers and other cloud infrastructure. What you do with those services, and how securely you configure them— that’s your responsibility, and not an easy task.

In practice, this means their developers must understand every AWS service they use, in depth to ensure it is configured safely and remains so over time. They also need to do this in the context of an ever-changing cloud platform.

This places enormous responsibility on developers to get it right, the first time. This is not always guaranteed, especially in a market where demand for experienced talent is high. Developers may be focused on building core business apps and lack the time or domain expertise to properly configure the underlying cloud infrastructure.

The Cost of Misconfigurations

There has been a plethora of coverage of businesses who have been subject to a data breach with customer data exposed. Many were vulnerable not because of external attackers exploiting a flaw in their code, but simply because a critical cloud service was accidentally left open to the world.

Whether it’s an open S3 bucket with patient records for a US medical training school, or an FBI watchlist exposed due to a misconfigured Elasticsearch cluster, these cases are all too common.

  • According to research from Trend Micro, 65-70% of all security issues in the cloud are a result of such a misconfiguration.
  • In terms of real-world impact, 33 billion records were exposed in 2018-19, at a global cost of $5 trillion, according to a report from Divvy Cloud.
  • When misconfigurations do occur, they take an average of 154 days to identify, and then 69 days to contain, per IBM. That’s a lot of time for these issues to sit and your data to lay exposed to the world.

You don’t know what you don’t know, and meanwhile the clock is ticking.

Addressing this Risk is Challenging

To solve this, businesses in the cloud have a lot of issues to sort through:

  • How to ensure every developer and engineer working in an AWS environment knows how to configure them correctly?
  • How to ensure they have the time to get things right?
  • How to gain the visibility to make sure they do this correctly, every single time?
  • When the underlying AWS services change, or new ones are added, how will they keep up?

Businesses who are already struggling to recruit and retain talented cloud experts may find these challenges a tall order. These challenges are magnified when they suffer the impacts of an outdated cloud environment.

The Stax Solution

To help customers solve this problem, today Stax announced the release of our Public Exposure Rule Bundle, an expansion of our Risk Management feature targeted at cloud misconfigurations.

The Bundle offers a simple method to ensure common AWS services that can be open to the internet are tracked, and customers can tell if their resources are at risk of being open to the internet. This grants customers immediate visibility over a massive risk to their business.

Enabling this Bundle and monitoring notifications should allow for customers to improve their security posture. Like all other Rule Bundles, customers can enable Real-Time Rule Alerts and be notified in close to real-time, providing for rapid, targeted resolution of important issues.

Customers no longer have to deeply understand the subtleties of every AWS service they use, in order to protect their business against the possibility of a costly misconfiguration that exposes data.

When new AWS services become available, and new methods of opening services up to the internet become available, we will add them to our Bundle, ensuring customers can maintain visibility over public exposure as AWS evolves.

Existing Stax customers given early access to the Bundle have been positive. James Smith, MoneyPlace chief technology officer said the Bundle was a great set of Rules that helped his company-- a Melbourne-based peer-to-peer personal lending platform--ensure it is protected against common data leakage configurations in AWS.

Learn more about the richness of Stax features in our documentation.

If you are concerned about your organization’s ability to monitor and avoid public exposure, reach out to our team to schedule a free demo.

By David Angus Read the latest insights from Stax blog contributor David Angus.