It’s going to be a brief newsletter this week – the Moderna booster knocked me out real good this weekend, so I’m still a bit loopy.
Speaking of *ahem* responsibility, a big topic this week has been the Shared Responsibility Model of the major cloud providers, courtesy of a vulnerability in Azure Cosmos DB that was discovered by the research team at Wiz. A complete walkthrough of their findings and escalation path can be read here
There’s no denying the value in what you get “for free” from the cloud providers in terms of operations & security across the service catalog and underlying infrastructure resources. But there is a natural element of trust that comes with it – what happens when something goes wrong?
My absolute favorite Gartner statistic, which I’ve used ironically in every presentation I’ve given in the past few years is that, “99% of cloud security failures will be the customer’s fault.” Thanks, Gartner. But what about that 1%?
Keeping up with that 99% is enough to keep us all busy (and employed), so it comes as a blow when it’s something out of your control in that 1% we expect to be covered. It’s always a good reminder that the cloud services we consume are written by people, and people make mistakes. From reading the report linked above, all it takes is one questionable (or more likely unintentional) design decision to exploit the system to gain elevated privileges.
Responsibility isn’t a guarantee, but it is accountability. That trust should be a major factor when choosing a cloud provider to go “all in” with. When vulnerabilities like this are discovered, what you want to look for are the nature of the procedures in place, the speed in which things are found and fixed, and the openness of the communications.
With great responsibility comes… a privilege escalation path? Hmm… I’ll have to work on that joke when my brain comes back online.