Sameer Sharma, Sr. Consultant for Cloud Architecture and Security at Citrix, recently highlighted five of the top cloud security risks. In his post, he provides high-level guidance for each cloud security risk, one of which is misconfiguration.
In August 2019, the Cloud Security Alliance released The Egregious 11, the third iteration of its Top Threats to Cloud Computing report. Misconfiguration and Insufficient Change Control is a new entry, which indicates that the CSA thought this threat was important enough to mention the same incident twice, in both of the first two blog posts.
In this post, we will further detail how misconfiguration risk can be efficiently managed by planning security before deployment, not as an afterthought. Planning ahead can greatly reduce misconfiguration risk at low cost and with moderate effort — a vital activity for such an important threat.
Five Practices for Overcoming the Security Misconfiguration Challenge
1) Know your security posture and map it to a security baseline
Your organization’s security posture and priorities are shaped by your organizational objectives and governance demands. In other words, you cannot simply look up the corresponding security baseline that matches your security posture. Some government organizations can still do this, but worldwide (even in government) this is less common. Instead, it is good practice to draw your own straight line from your security posture to the appropriate security configuration…