Constant Crisis Management

3. Constant Crisis Management

January 18, 2023

Cloud Security is constant crisis management. Not in terms of panic, everything is on fire, but as a constant mode of being. Should a fire breaks out at your house, I bet you'd be in panic mode, as I sure would be. But for the Fire Department it is just another Tuesday. (literally)

I was reminded of that when I saw two separate reports of vulnerabilities of the cloud come out just today:

AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass
How Orca Found Server-Side Request Forgery (SSRF) Vulnerabilities in Four Different Azure Services

Told You So Doesn't Stop Us From Having To Deal With The Impact

These are great write ups with technical details, and you should read them. But since they're already fixed, they are largely like a weather report for a different continent.

Hurricanes or tornados way over there may make the news but don't affect you as much as the showers or snow you may be dealing with back home[^1]. Scientists and activists have warned us correctly for a long time about climate change and made recommendations that for reasons outside their control weren't followed. First responders nevertheless have to manage the local disasters where they occur and do what they can with the resources they have available to them.

Security professionals similarly have offered good advice for decades. Also here often lack of resources, commitment or willingness to face consequences meant their recommendations weren't followed. Yet those in the trenches try to make systems secure and respond to alerts to the best of their ability, while security operations deals with the fall-out with the capabilities they have.

Managing Cloud Turbulence

Cloud transformation only adds to this sense of crisis. We rush head-first into cloud platforms and new cloud-native technologies like Kubernetes, little of it secure-by-default. We give more autonomy to developers, while we're still figuring out how the secure these landscapes. Changes to the way we work, develop and deploy code, and adjust organizationally to cloud transformation only add to the turbulence.

We only manage this by realizing we are in a state of constant crisis and will continuously have to make difficult choices. This is what crisis management is for. When you rarely have an incident, you may have good playbooks, but when an incident happens nobody knows what to do. When incidents are routine, you get a rhythm and comfort level with them. You manage.

That doesn't make me less concerned about these vulnerabilities – we rely on the cloud provider for the security of the cloud in our own threat modeling and processes. I am concerned about the impact of climate change on communities around the world, as well.

However, we all first have to deal with the crisis in front of us and prioritize according to the impact on our organization for the things we have control over and can mitigate against. It won't do to stand on the side lines and say “I told you so”. We have to save what we can. Welcome to constant crisis management.

[^1]: I am in the greater Santa Cruz area, recently hammered by massive rain storms. While our little community is OK, thankfully, many areas have seen major flood damage and the risk of landslides continues. Extreme weather events are obviously on my mind.

cloud security posts without corporate approval @jaythvv@infosec.exchange