We’re excited to announce the Cloud Security Masterclass program to help increase awareness of advanced cloud misconfiguration risks and how malicious actors exploit them. We held the first free live Cloud Security Masterclass last month—a deep dive session into the complex layers of Amazon S3 security, which has been at the center of a number of recent high profile data breaches.
When there’s a data breach involving Amazon Web Services (AWS), more often than not it involves the Amazon S3 object storage service. The service is incredibly popular. Introduced way back in 2006 when few knew what the cloud was, S3 is highly scalable, reliable, and easy to use. But getting the security of S3 right—and making sure it stays that way—continues to confound many AWS customers.
Cloud misconfiguration remains the top cause of data breaches in the cloud, and the COVID-19 crisis is making the problem worse. These are among the findings of Fugue’s new State of Cloud Security 2021 Report.
By the Fugue Team in collaboration with Dave Williams, cloud architect at New Light Technologie s . Employers across the U.S. and around the world are rapidly shifting to a mandatory work-from-home (WFH) arrangement to help slow the spread of the coronavirus (COVID-19). Even for organizations already operating with team members working from home, this shift is likely causing disruption.
In the cloud, developers now own the security posture of the enterprise because the cloud is fully software-defined and programmable. Getting the programming of cloud infrastructure wrong leads to misconfiguration, which is the number one cause of cloud-based data breaches.
Today we announced Regula, an open source tool for evaluating Terraform infrastructure as code for potential security misconfigurations and compliance violations. Regula uses the open source Open Policy Agent(OPA) policy framework and Rego query language, which have gained significant traction in the Kubernetes community and scale to cloud infrastructure policy assessments as well (Fugue’s SaaS product performs more than 100 million policy evaluations using OPA every day).
When it comes to cloud infrastructure security, two trends emerged in a big way in 2019: headline-producing cloud-native exploits, and the developer movement to address these threats using secure engineering approaches.
On January 1, 2020, the California Consumer Privacy Act (CCPA), California’s answer to GDPR, goes into effect. Like GDPR, the CCPA is delivering anxiety and dread to executives, marketers, compliance officers, and engineers everywhere. As we learned from numerous conversations at the AWS re:Invent 2019 conference last week, engineers responsible for building and managing cloud-based systems and data are focused on CCPA and what it means.
Adopting the Rego policy language and the Open Policy Agent (OPA) engine for Fugue’s cloud security SaaS product has paid real dividends for us and our customers. It enables Fugue users to easily create custom policies for their cloud infrastructure environments using open source tools, and it’s helped us implement out-of-the-box policy as code support for complex compliance standards, including CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2 (and our own Fugue Best Practices to identify advanced cloud misconfiguration risks).
Today we released the Fugue Best Practices Framework to help software engineering teams identify and remediate the kinds of dangerous cloud resource misconfigurations used in recent data breaches that aren’t addressed by common compliance frameworks (see A Technical Analysis of the Capital One Cloud Misconfiguration Breach).