As more organizations accelerate adoption of cloud infrastructure for increased efficiencies and scalability, they are faced with the challenge of identifying and correcting misconfiguration. Cloud infrastructure misconfiguration can occur anywhere in your infrastructure. If not corrected immediately after discovery, it can expose organizations to unforeseen risks. The longer misconfiguration is left unattended, the higher the risk of a critical security breach. Below are some of the most common kinds of cloud infrastructure misconfiguration and the resulting data breaches. Download the Cloud Infrastructure Misconfiguration ebook for more detailed information on misconfiguration and best practices on how to prevent it. Related Posts Cloud Infrastructure...
In last week’s blog post, we discussed the seriousness of cloud misconfigurations and the impact they can have on organizations as they move to the cloud. The fallout from cloud misconfigurations can be severe: steep regulatory fines, loss of customer data, damage to your reputation, or loss of customer trust. In this post, we address some of the most common cloud infrastructure misconfigurations and consequences resulting from the misconfiguration. AWS Security Group Misconfigurations AWS security groups are associated with EC2 server instances and provide security at the port and protocol access level. A security group misconfiguration can allow an attacker to access your cloud-based servers and exfiltrate data. A common security group misconfiguration is to make a server...
Cloud infrastructure misconfiguration is preventable, yet remains one of the most common security concerns for organizations moving to the cloud. A recent report from IBM X-Force revealed that there was a 424% increase in data breaches due to cloud misconfigurations that were caused by human error. Configuration drift that leads to misconfigurations can easily be exploited to gain unauthorized access to data, thus exposing organizations to unforeseen risks. Why has there been such a huge increase in misconfigurations and why are these breaches so damaging? Infrastructure misconfiguration has become increasingly likely as companies migrate more of their workloads to the cloud. Being on cloud means being dynamic and agile, and the security solutions used to protect data centers are...
DevOps provides IT enterprises with the ability to rapidly iterate on smart, fast software deployments. Relying on powerful version control and build tools like Github and Jenkins enables DevOps teams to save time and money by including development and operations in a single automated pipeline. However, in some DevOps environments, security is often neglected or avoided because of the perception that the security team will introduce inefficiencies and dramatically slow the pace of development. Bypass the unnecessary risks of this approach by integrating security directly into your DevOps pipeline. DevSecOps Provides Agile Security DevSecOps is established by placing security controls in every phase of your pipeline. Common best practices include: Training: Educate engineers to...
It has never been faster or easier to get something deployed in the cloud. Every day, it seems that cloud service providers like AWS and Azure are delivering a slew of new services that make it easier for enterprises to move their workloads to the cloud. Unfortunately, security and compliance may be left behind. The cloud offers increased efficiencies and scalability, but organizations need to also pay attention to security and compliance requirements or they could put themselves at risk. What does it mean to move both fast and safely to the cloud? You should follow a few fundamental steps: 1) Discover what is running. Most companies have existing environments in the cloud, so it’s important to know what is running and where. The cloud provides APIs for querying what’s in your...
Launched in 2011, AWS CloudFormation was a game changer because it was one of the first template-based, infrastructure-as-code (IaC) tools that provided the ability to express the full cloud infrastructure stack as configuration files. It wasn’t limited to the OS layer like traditional configuration management tools. However, organizations that operate on AWS under strict security rules and compliance regimes (i.e., HIPAA, PCI, NIST 800-53) need to make sure their infrastructure is created in accordance with the applicable security and regulatory policies—and stays aligned in the face of constant change. The Risk of Cloud Misconfigurations, Drift, and Policy Violations IaC tools like CloudFormation (CF) were not designed to address security and compliance comprehensively, and they...
For many people, their home is their largest and most valuable investment. However, most do not know how well their home is functioning. With the emerging of Internet of Things (IoT) technologies, any device can be put on your home network and be at your command. A home automation system can control lighting, climate, entertainment systems and appliances. A “connected” or smart home provides a wealth of information that can be used to save the homeowner money, time and frustration. One company, Whisker Labs, is leveraging data analytics from energy IoT devices to deliver home intelligence via energy savings and greater peace of mind. The company’s sensing and software technology mines the electrical network of the home, detecting electrical fire hazards. Energy management services...
One of the most common regulations out there is PCI, which helps ensure the security of financial and personal information for payment card transactions. Any organization that accepts credit card payments, or stores, processes and transmits cardholder data, must be PCI compliant. That means most organizations, from not-for-profits to small businesses to large corporations, must comply. Non-compliance can result in costly fines or worse: data breaches, a loss of customer trust, and lasting brand damage. For organizations adopting cloud, maintaining PCI compliance brings new challenges. PCI governs how IT infrastructure--such as servers, networks, and databases--must be configured to ensure data is protected at all times. But in the cloud, infrastructure is programmable and...
Since its founding, Fugue has set out to transform how cloud infrastructure is kept safe and secure. Today, we’re thrilled to announce our strategic partnership and development agreement with In-Q-Tel (IQT) to help advance its mission for U.S. government agencies. For nearly two decades, the not-for-profit strategic investor IQT has accelerated the development and delivery of innovative technology solutions to support the mission of the U.S. government agencies that keep our nation safe. We are proud to join them in supporting this effort. Fugue can help federal agencies automate security and compliance for cloud infrastructure to identify and eliminate risks stemming from misconfiguration and policy violations. By preventing compliance violations and automatically returning...
We are thrilled to announce that the Fugue Compliance Suite is available today. The Compliance Suite is a set of validation libraries for provisioning and orchestrating infrastructure with Fugue. The prepackaged libraries help to enforce security and regulatory controls specified in compliance frameworks such as NIST 800-53, HIPAA, and GDPR, as well as best practices such as the AWS CIS Benchmarks. As a reminder, a validation is a type of “policy as code” that tests your infrastructure. If a validation fails, such as determining that an S3 bucket has been defined in an unpermitted AWS region, then the infrastructure code will not compile and cannot be deployed. Our Compliance Suite validations ensure that infrastructure does not violate controls specified in a compliance framework. For...
.png?width=36&height=36&name=linkedin%20(1).png){kind=small}
.png?width=36&height=36&name=twitter%20(1).png){kind=small}
