Last week, Fugue released its Cloud Infrastructure Misconfiguration Report, which presents the results of our survey of more than 300 IT and security professionals from enterprise-level organizations. What surprised many of us at Fugue the most was the steep cost incurred by enterprises in their attempt to manage cloud misconfiguration, which is still largely a complex, manual process in an otherwise automated world of cloud. You can read more about that in The Cost of Cloud Misconfiguration Whack-a-Mole.
Today, Fugue released its Cloud Infrastructure Misconfiguration Report, which presents the results of our survey of IT and security professionals from more than 300 enterprise organizations. At Fugue we’re out to solve cloud misconfiguration, so we live and breathe this stuff every day. But even we were surprised by the survey’s findings. The risks due to cloud misconfiguration are generally acknowledged. 92 percent of respondents are concerned about these risks, and 82 percent reported security and compliance incidents resulting from them. The problem is so big, Gartner’s Neil MacDonald estimates that, by 2020, 80 percent of cloud breaches will be due to misconfiguration and human error. Yes, cloud misconfiguration risk is real. But what's the cost of managing it? That said, I’d...
Cloud infrastructure misconfiguration has emerged as the number one cause of data breaches in the cloud. Rather than application software vulnerabilities, it’s actually misconfigured network settings, firewall rules, storage access policies, and other cloud resources that put our data at most risk. We’ve talked a lot about the risk of cloud misconfiguration and why it’s critically important to have a Mean Time to Remediation (MTTR) for cloud infrastructure misconfiguration that’s measured in minutes, not hours or days. But why are cloud misconfiguration MTTRs more often measured in hours or days? And how many man-hours are teams wasting in their attempts to manage this problem? We work with a wide variety of enterprises using cloud at scale—from federal agencies to Fortune 500...
Organizations are excited about the cloud and what it can do for their business. Cloud computing offers the promise of services at elastic speed and DevOps teams are embracing the opportunity to innovate at speed and efficiently scale. The ability to easily bring up thousands of servers within minutes, however, also introduces security and compliance issues. Security and compliance issues are often neglected or avoided because of the perception that adding security will dramatically slow the pace of development. DevOps and security teams may seem to have opposing interests at times. Development teams who deploy apps in the cloud are used to moving fast and having the freedom to deploy whatever resources they need to accomplish their goals. They are not security and compliance...
As more organizations accelerate adoption of cloud infrastructure for increased efficiencies and scalability, they are faced with the challenge of identifying and correcting misconfiguration. Cloud infrastructure misconfiguration can occur anywhere in your infrastructure. If not corrected immediately after discovery, it can expose organizations to unforeseen risks. The longer misconfiguration is left unattended, the higher the risk of a critical security breach. Below are some of the most common kinds of cloud infrastructure misconfiguration and the resulting data breaches. Download the Cloud Infrastructure Misconfiguration ebook for more detailed information on misconfiguration and best practices on how to prevent it. Related Posts Cloud Infrastructure...
In last week’s blog post, we discussed the seriousness of cloud misconfigurations and the impact they can have on organizations as they move to the cloud. The fallout from cloud misconfigurations can be severe: steep regulatory fines, loss of customer data, damage to your reputation, or loss of customer trust. In this post, we address some of the most common cloud infrastructure misconfigurations and consequences resulting from the misconfiguration. AWS Security Group Misconfigurations AWS security groups are associated with EC2 server instances and provide security at the port and protocol access level. A security group misconfiguration can allow an attacker to access your cloud-based servers and exfiltrate data. A common security group misconfiguration is to make a server...
I’ve now been in the role of CEO here at Fugue for a number of weeks, and thought it might be worthwhile to lay out my reasons for joining this fantastic company. First off, I’d like to say a big “thank you” to the wonderful staff and customers of Fugue who have given me a very warm and enthusiastic welcome. Not only that, they have graciously and patiently entertained my many, many questions. I’ve spent the past 10 or more years helping lead innovative and fast-growing cloud and SaaS companies such as VisualCV (an early AWS customer) and SparkPost. Before that—at webMethods—I helped leading companies like Dell and Bank of America utilize our pioneering web services software in early cloud applications. One of the common concerns we had at all these companies was ensuring that the...
Cloud infrastructure misconfiguration is preventable, yet remains one of the most common security concerns for organizations moving to the cloud. A recent report from IBM X-Force revealed that there was a 424% increase in data breaches due to cloud misconfigurations that were caused by human error. Configuration drift that leads to misconfigurations can easily be exploited to gain unauthorized access to data, thus exposing organizations to unforeseen risks. Why has there been such a huge increase in misconfigurations and why are these breaches so damaging? Infrastructure misconfiguration has become increasingly likely as companies migrate more of their workloads to the cloud. Being on cloud means being dynamic and agile, and the security solutions used to protect data centers are...
DevOps provides IT enterprises with the ability to rapidly iterate on smart, fast software deployments. Relying on powerful version control and build tools like Github and Jenkins enables DevOps teams to save time and money by including development and operations in a single automated pipeline. However, in some DevOps environments, security is often neglected or avoided because of the perception that the security team will introduce inefficiencies and dramatically slow the pace of development. Bypass the unnecessary risks of this approach by integrating security directly into your DevOps pipeline. DevSecOps Provides Agile Security DevSecOps is established by placing security controls in every phase of your pipeline. Common best practices include: Training: Educate engineers to...
Two years ago, I wrote a blog post that got some notice, which surprised me. It was a piece about going back to Emacs as my primary content creation tool, first as a CEO, and now as a CTO. A brief recap is that I spent most of my career as a programmer and a software architect, and preferred Emacs as my code editor for much of that time. Reconsidering Emacs was an experiment that I was excited about, but wasn't sure how it would work out. On the Internet, the post was met with roughly equal parts disdain and appreciation, but tens of thousands of people read it, so it seems that I touched on something interesting. Some of the more challenging and funny posts on Reddit and HackerNews predicted that I'd have hands shaped like claws or that I'd have lost my eyesight because I use white...
.png?width=36&height=36&name=linkedin%20(1).png){kind=small}
.png?width=36&height=36&name=twitter%20(1).png){kind=small}
