The big providers advertise how easy it is to deploy infrastructure in the cloud, but they don't seem to talk about how easy it is to screw it up and loose half the country's SSNs because of an extra * in a JSON policy. It doesn't help that the default settings are rarely secure.
We've got companies with 100s of engineers and combined decades of cloud security experience who are still getting it wrong. Not a day goes by without mass exfiltration of user data because of what amounts to really tiny mistakes.
The cloud providers have tried to address the issue, but IMO, they're going about it the wrong way. Devs shouldn't need an entire "Security Center" to tell them they're doing something insecure in a different part of the product.
TBF, I don't think there's an easy answer. With great power to build and design cloud systems comes great responsibility. Companies hosting user data in those systems need to do learn to do so securely. I'm just confused on *why* it's so hard to do that.
I think there are a few things the cloud providers should do to make things better:
1) Put security warnings front and center. If I'm about to do something insecure in S3, tell me right then. Don't make me go sign up for Config Service and launch 15 Lambdas with an SNS topic and a satellite to figure it out after the fact.
2) Secure everything by default and make the insecure options harder to enable. Most users likely won't encrypt something if it's opt-in and hidden down under an "Advanced Settings" menu.
3) Redesign policy-based permissions and stop allowing wildcards. Devs put wildcards in a policy bc it's the path of least resistance. I'm not about to parse policy logs for 2 hours to find the exact EC2:X permission my server needs, but it certainly doesn't need "*".
4) Turn all services and regions off by default. Providers won't do this bc it's detrimental to their business model, but 99% of users aren't using most of these services, so make the account owner enable what they need on a per-service/region basis.
5) Surface problems with zero config. Leave a car door open with the keys in and it starts beeping. I don't have to subscribe to some extra service for the feature. Why can *really* insecure infra keep running without any notification from the provider?
There are scores more ways to improve the situation, but just doing the above might have prevented a good chunk of this year's biggest cloud hacks. Anyone have other ideas?
