The reckoning on cloud container and serverless security

The elevation of cybersecurity responsibility to a CEO and board level is driving a real reckoning on cloud security and risk, both in Australia and abroad.

That reckoning is not just for those where the buck now stops on regulated accountability; it cascades down to CISOs and their teams to run tighter ships and to close any observability or investigative gaps.

While the CEOs of listed Australian companies — including banks, as one notable example — have championed programs of work to migrate applications and data to the cloud, it can be challenging to really understand the security nuances of where their environments now run.

Ephemeral infrastructure, including cloud resources such as containers and serverless functions that are spun up and down within minutes, are a particular blind spot. Their complex and dynamic nature often means they’re not well understood, even by cloud account owners or security teams. In that context, executives with cybersecurity accountability may find it challenging to assure themselves that their organisation’s use of technologies such as containers and serverless resources is observable or auditable to a standard they — or their regulators — would expect.

Underestimating the unseen: assessing risk in ephemeral environments

While cloud logs are an important data source when it comes to performing forensics and incident response, they often provide very little context to potential compromises in ephemeral environments. The ability to thoroughly investigate a detection may be hampered by the extent to which the ephemeral asset was observable during its brief lifespan.

For years, that has meant that malicious activity in ephemeral environments hasn’t been investigated because there was no easy way to do so. A resource expiring before a forensic analysis can even take place is a common reality. This has led to underestimation of the security risks posed by ephemeral infrastructure. The reality is that an attacker who gains access to a spot instance or container can accomplish quite a lot before that resource disappears.

For example, a container that runs even for 15 minutes often has access to a database. An attacker could theoretically dump out the entire database without worrying about covering up their tracks. Without a modern cloud-focused forensic platform, the only way a security team may even be alerted to this activity is if the attacker boasts about it on an internet forum or tries to onsell their exploits.

Forensics teams and incident responders have known about this visibility gap for a while, and it freaks them out that they can’t investigate ephemeral infrastructure properly. CISOs may or may not be fully aware of the risks — they may know but have viewed exploitation of ephemeral infrastructure to date as being a relatively low risk.

Certainly, ephemeral infrastructure presents a learning curve for both users and attackers, but there will always be skilled attackers, and as the use of containers and serverless continues to increase, ephemeral infrastructure will command increased attention amongst the hacker community and the skills and capabilities of security teams need to follow suit.

How new regulations impact C-suite leadership and cloud security programs

The emergence of new regulations could also drive a change in mindset around securing ephemeral infrastructure. Indeed, as organisations increasingly adopt ephemeral resources, regulators are educating the industry about the risks. They’re providing support for how entities need to operate, and what they should be looking out for as the temporary nature of ephemeral resources is no longer an acceptable reason not to have full auditability for that infrastructure.

As regulators have become more knowledgeable of cloud operations in general, they are taking cloud-based risk into consideration with audit and enforcement activity. On a practical level, that means tighter regulation of security cloud controls. It also means more scrutiny of executives and boards about what they know about their cloud environment and cybersecurity operations, and the extent to which they have assurance that their organisation’s approach aligns with best practice in the space.

That need for assurance will see executives and boards looking in the direction of the CISO. The question then becomes whether all cloud infrastructure is appropriately under control, or whether it represents a risk on the table that is unaddressed.

For those that encounter visibility gaps, or worse — audit trails of potential compromises that are difficult or expensive to investigate — a change of tune on ephemeral infrastructure observability will be required. Automation-centric platforms that capture forensic artefacts of all cloud infrastructure, no matter how long it is operational, are fast becoming table stakes for organisations with any significant cloud presence.

Image credit: iStock.com/metamorworks