The cockpit photo always fascinated me. Lots of knobs and whistles of different shapes and sizes. Do pilots really need all these options over the distance? On every trip? How do they check that they are all in the correct position before taking off?
Companies today have tens of millions of these items, or rather their digital equivalent: configuration. The cloud and software as a service (SaaS) are now ubiquitous and have brought with them endless choices to do. Unlike airplanes, we do not have standards and procedures to ensure that each switch is turned to the correct position. It's no wonder that misconfiguration remains the most common cause of this Cloud security issues.
Ambiguous configurations
Commercial aircraft have comprehensive manuals detailing the function and effects of each toggle switch in that cockpit. For cloud and SaaS, you'll usually find a one-line explanation hidden in an obscure documentation page. If you're lucky, this short snippet is meaningful and still up to date. However, in most cases, you are not lucky – the documents were written three years ago, and now the service is completely different. Entire companies are built on the premise of having a team of experts know what these keys do. They reverse engineer, walk around, and brute force their way to capture the meaning of each composition.
In the world of SaaS and Platform as a Service (PaaS), things get even worse. You'll never have a complete understanding of how things are built under the hood, so building an intuition about which knob does what becomes a guessing game.
Distributed choice
The cockpit is manned by the Captain and First Officer, who are highly trained professionals with well-defined responsibilities. Sometimes they are backed up by the flight engineer, a well-oiled human machine who triple-checks that everything is OK. For cloud and SaaS, it's the Wild West. People across the organization make configuration choices every day — or, worse, fail to make them and leave the insecure default setting in play.
It's not just cloud developers and SaaS administrators, although they have received most of the attention. Business users make these choices too. They take advantage of low code/no code To build and customize their own business processes, making dozens of configuration choices as they go.
Security teams also face this issue. Can you really say that your security stack is 100% optimized and configured correctly? How many incidents could have been prevented with technology deployed in audit mode rather than enforcement mode?
Constant change
Imagine what would happen if a cockpit changed its switches – their functions, their effects, or just their appearance – every three months. Now imagine that it changes several times a day.
Continuous delivery It's the holy grail for enterprise cloud and SaaS companies hoping to move quickly. We've given sellers permission to change their offers under the hood as much and as quickly as possible. This is a good thing, mostly, because this is how excellent software is built. However, applying the same principle to the user interface means that the configuration can change at an alarming rate. The meaning of the current configuration can also change, making it more difficult to understand what is happening.
Even if the configuration options are the same, the enterprise environment is constantly evolving. SaaS and cloud resources are connected in different ways. They have different data subject to different sets of regulations. Risk decisions adapt as the threat landscape changes.
It's time for standards
Public pressure in recent years has forced major vendors to change their insecure default approach, helping to put us all in a better position. S3 buckets are now in place Shut down from the Internet By default. As well as co-pilot robots Designed using Microsoft's Copilot Studio.
Some cloud and SaaS platforms have begun publishing recommended configurations for secure deployment. CISA and other organizations have Offer excellent recommendations to follow.
However, these are all scattered efforts. Working together through industry standards may be what we need to finally make a real impact in reducing the ever-increasing risks of misconfiguration.
