Well, it sure has been a week in cloud security land… which is becoming quite the evergreen statement. Research teams keep finding major vulnerabilities across the major providers, sparking all sorts of grandiose claims and spirited debates online. What is happening?! I have nothing to posture other than acknowledging that cloud environments are getting increasingly more complex, and the surface area too deep and wide to reason with.
Every major cloud provider is a builder, seller, and consumer of their services. The scope of the offering has been far too complex for your average outsider to fully grasp, but it’s increasingly far too complex for even insiders. With a near infinite possible combination of configurations, things are bound to go wrong. Teams are getting better at handling these complexities, but so are the researchers. More importantly, so are the attackers.
When there’s no customer impact, and newly found zero days get address quickly and effectively, you can sigh a bit of relief knowing that red & blue teams working in concert with providers are a net-positive for the strength and stability of the cloud offerings themselves. When there is customer impact, there’s a reasonable collective freakout. Either way, there’s always the lingering thought of, “well, what’s next?” You can safely assume there will be a next, but at who’s hands and at what measure?
Keeps things interesting, that’s for sure!