The cloud is ubiquitous: Any company looking to ramp up quickly is likely to provision its compute, networking, storage with its preferred cloud provider, and get started rolling out their products. The catch though, is that the very same foundational architectures which drive the cloud’s efficiency, flexibility and cost benefits ultimately also are its weakest links from a security perspective.
There are three fundamental drivers that serve as the basis for the large majority of access hacks, data security breaches and privacy vulnerabilities:
This blog series will dig into each of these elemental cloud security challenges that need to be addressed if we really want to change things. Then we will lay-out how an API approach to security will enable developers to bake-in data security, privacy and access control into their applications from the ground floor with little or no code, rather than simply layering on active security measures as an afterthought.
Credentials-based authentication - that is, username and password - is notoriously insecure and the source of 80%+ of data breaches today. Yet most end users still gain access to their Web sites and applications this way. Even worse, so do many DevOps and cloud engineers to their sensitive production cloud environments. Thankfully, a long overdue migration to passwordless authentication is now underway, with dozens of tools vying for supremacy, and more and more sites like Github are deprecating password based authentication entirely.
While this is an important step forward, it still only solves part of the problem: not all passwordless authentication solutions are created equal. The new wave of solutions eliminate the password, but all still have one or several intrinsic weaknesses, all derived from the same foundational flaw.
The benefits of the cloud - it’s flexibility, scalability and remote access - are indisputable. It has simplified development and automation exponentially over the years, and emerging tech such as AI and IoT will only accelerate this.
But as any security engineer knows, these strengths are also the cloud’s main weaknesses. The scale and complexity of the cloud make it practically impossible to defend, while the amount and value of data and capabilities that are concentrated into enormous cloud-based data lakes, make attacks relatively easy and incredibly profitable. Given that formula, it’s no wonder why the breaches - and headlines - just keep getting bigger.
So, if you want to really take a security-first approach in your cloud engineering, and avoid being the next big headline, you should start with the working premise that the cloud is essentially compromised. With this assumption in mind, here is where the current crop of passwordless authentication solutions remain vulnerable:
If you are serious about data security, you have to start with the simple premise that any resource of value in the Cloud can and will ultimately be successfully attacked.
Thanks to this set of assumptions, attacks can be executed literally from anywhere in the world, from any device, and by any hacker - whether an amateur or more sophisticated professionals. Even worse, it doesn’t even require a human attacker - software, especially bots, malware, ransomware and even AI software, can probe and drive attacks of virtually unlimited scale.
Yikes - scary. Until we change things, the attackers will always have the advantage.
Zero Trust was, of course, developed to acknowledge and address this inherent weakness of cloud security. Zero Trust (as a quick recap):
While both are vital principles and steps, there are gaps in how Zero Trust is implemented and enforced, usually due to the cloud’s previously mentioned inherent weaknesses:
Therefore, Zero Trust solutions are still not able to prevent unauthorized access, and will continue to be broken. It is a necessary part of an overall strategy, but not sufficient on its own.
Since we are writing this blog, we have a few ideas! Several years ago, Circle’s founders started thinking about, designing and then building a new approach to cloud security - cybersecurity based on the basic premise that the cloud is compromised.
If you accept that, then the strategy is obvious: we need to eliminate the attack surface in the cloud entirely. These are the pillars that make this strategy feasible.
These pillars can also be applied to many other vulnerabilities in cloud security, including in particular protecting data and privacy. But more on that in the next blog!
Too good to be true? We would be the first to say that seeing and implementing the code is believing. We hope that you will take the Circle API for a spin!
You can also follow to the blog and articles below to learn exactly how you can use Circle API to rapidly and easily bring these benefits to your Web sites and applications and end users.