Security Chaos Engineering - the need for new security concepts - Part 1
The need for new security concepts - Part 1
Security Chaos Engineering 1 Need for new security concepts
Distributed systems - especially cloud infrastructures - have become increasingly popular in recent years. However, cloud infrastructures have unique characteristics and therefore specific security requirements. In this article, we will look at the characteristics of the cloud, traditional security concepts and the reasons why they do not adequately cover cloud security.
The advent of cloud computing has fundamentally changed the way organizations think about and interact with IT infrastructures and services. Cloud computing offers flexibility through scalability on demand, virtually unlimited storage and computing capacity and numerous other benefits. However, these benefits also lead to a complexity of IT infrastructure and services that did not exist before. The number of systems interacting within the cloud environment and the size of the environment itself have increased massively. The flexibility and scalability of the cloud makes it possible to host a wide variety of interconnected applications.
In addition, the cloud infrastructure is often provided and managed as infrastructure as code, which increases complexity.
For this reason, a large amount of source code runs on these systems. Dependence on external libraries is therefore common practice, which leads to external vulnerabilities being integrated into the system's own infrastructure. In addition, adding a new application causes the system to evolve, e.g. by increasing dependencies between communicating and cooperating applications. This applies in particular to serverless applications, microservice applications, monitoring and logging. These circumstances create a complex network of linked applications and hidden dependencies. It is difficult for people to keep track of the cloud architecture, the workloads of different developers and existing dependencies. If this overview is lost, this leads to various critical security issues and threats such as identity and access management, misconfiguration and a lack of knowledge about security vulnerabilities in one's own infrastructure.
In the pre-cloud era, developers only wrote applications, while the rest of the stack - including security - was part of IT operations.
Many organizations viewed security as an external practice once they went live with their source code. Security was just one step of the development process, measured by the absence of negative events and incidents, which were always seen as something negative rather than an opportunity to learn and improve. Today, developers are responsible for the entire stack, including security. However, security is not part of their regular workload and competencies. Developers aim to improve the code they develop by making it either faster or more stable. Integrating security into this process only adds to the already high workload and complexity through necessary scans, context checks and comparisons with expectations. This makes security an afterthought and leads to an aversion to security.
A survey conducted in 2019 showed that almost 70% of developers are responsible for the security of container images, but almost half of them will not be able to find new vulnerabilities in these containers.
A simple update or rebuild would fix almost two-thirds of the vulnerabilities in such container images. In addition, the average system contained 22 vulnerabilities. Almost 90% of vulnerabilities that do not adequately protect systems come from the application code itself. More information can be found here. These numbers show the lack of control over security and the fact that developers are not security experts but need support, new approaches and tools to help them secure adequately.
- In summary, there are discrepancies between how organizations handle security and how they should handle it, as well as between what developers can and want to do and what they need to do. Organizations should view cloud security as the following:
- a necessity throughout the entire process, from development to deployment and regular updates as added value.
- proactive implementation to ensure that systems work as intended and cannot be exploited by hackers.
Therefore, companies need to rethink their security strategy and go beyond traditional approaches. One of these new approaches is Security Chaos Engineering, the general concept of which we will discuss in the next article.
If you're interested in more details on how A&B security experts can help establish a security chaos engineering culture in your organization, check out our SCE program or contact us at Alice&Bob.Company!
Resources used and interesting content on this topic:
- Torkura, Kennedy A., et al. "Continuous auditing and threat detection in multi-cloud infrastructure." Computers & Security 102 (2021): 102-124
- Rinehart, Aaron, and Shortridge, Kelly - Security Chaos Engineering (2020)
- Rinehart, Aaron - Security Chaos Engineering: How to Security Differently (2021)(https://www.verica.io/blog/security-chaos-engineering-how-to-security-differently/, last accessed 13.06.2022)
- Rubóczki, Edit Szilvia, and Zolatn Rajnai. "Moving towards cloud security." Interdisciplinary Description of Complex Systems: INDECS 13.1 (2015): 9-14
- Basu, Ron- Implementing Quality. A Practical Guide to Tools and Techniques; Enabling the Power of Operational Excellence (2013)
- Zhang, Ni, Di Liu, and Yunyong Zhang. "A research on cloud computing security." 2013 International Conference on Information Technology and Applications. IEEE, 2013
- Rinehart, Aaron, and Nwatu, Charles - Security Chaos Engineering: A new paradigm for cybersecurity (2018)(https://opensource.com/article/18/1/new-paradigm-cybersecurity last accessed 13.06.2022)
- Armbrust, Michael, et al. "A view of cloud computing." Communications of the ACM 53.4 (2010): 50-58
