Why Cloud Architectures and Configurations are Like Eating Pizza and Building Lego

Pandemic or not, businesses, schools, and other organizations have moved to the cloud much more quickly than they may have planned, and many IT departments have had to jump in and deal with it.

Even if this change had been on everyone’s roadmap, such fast adoption would certainly expose many organizations to risks brought on by unfamiliarity with cloud configurations. Here are some things to know, using some delicious and fun analogies.

Understanding Shared Responsibility With Pizza

An unplanned move to the cloud could put an organization at risk if they don’t understand the shared responsibility model that delineates whether the customer or the provider is responsible for an operational task in the cloud.

Cloud computing responsibility is akin to eating pizza: If you don’t trust your inner chef or are too busy, you can go to a restaurant or have it delivered. If you don’t mind baking but don’t want to acquire all of the ingredients and assemble them yourself, you can choose a take-and-bake option. And if you prefer to make it at home with your family recipe, you can.

With cloud computing, you can adopt software-as-a-service (SaaS) and depend on the default services offered (restaurant or delivery). You can choose platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) and build your own services on top (take and bake). Or you can decide to have your services completely on-premises (homemade pizza).

Your cloud provider will offer documentation on how they define shared responsibility and how they cater to your needs using the model.

Understanding Cloud Architectures with Lego

It’s also important to know how to build services in whatever cloud you use. This is where the topic of cloud architectures comes in.

For this analogy, we’ll use Lego (which is the next best thing after pizza). Cloud frameworks are akin to the Lego manuals that come with new boxes of bricks. You can build remarkable things following best practice, or you can deliberately not follow them and still create something great.

If you decide to build without a guide, bear in mind that every brick you pick for your foundation will influence the integrity of the entire construction. Knowing each piece and its ripple effects is paramount.

Cloud Misconfigurations

When a customer believes they have a certain configuration in place but in fact do not, a cloud misconfiguration arises. Customer misconfigurations can result in data exposure, among other serious consequences.

Amazon Elastic Block Store Volume Encryption

Most compliance frameworks and standards require organizations to implement full-disk encryption on their hard drives, and AWS promotes this practice as well. However, a significant percentage of high-risk detections are related to Amazon EBS volumes that are not encrypted.

Customers might assume that AWS encrypts those volumes by default, but this isn’t the case. Fortunately, AWS makes it easy for customers to encrypt volumes, and encrypted volumes have the same performance as unencrypted ones.

Amazon Machine Image Encryption

AMI functions as an open virtual appliance that allows customers to spin multiple Amazon Elastic Compute Cloud instances with the same operating system, configurations, and data.

Having this data encrypted is also a good practice. However, a significant percentage of high-risk detections involve unencrypted AMIs. Customers can enable AMI encryption with a simple tick of a checkbox.

Amazon Simple Storage Service Bucket Encryption

Amazon S3 is one of the most widely used services of AWS. It is also one of the services often mentioned when data leaks concerning big organizations make news.

AWS provides the tools, but it’s the organization’s job to make sure buckets are properly configured. While every newly created Amazon S3 bucket is private by default, it’s not encrypted, but encrypting an Amazon S3 bucket is as easy as selecting the option button corresponding to the preferred encryption method.

Amazon Simple Notification Service Topic Encryption

Amazon SNS is a core service for cloud-native design. This managed messaging service allows service-to-service communication, decoupling monolith applications and enabling the adoption of a microservices architecture.

If malicious actors gain access to the data in transit or at rest, they can’t make sense of it if encryption is enabled. Amazon SNS provides in-transit encryption by default, but server-side at-rest encryption is optional. However, it can be easily enabled with a click of the corresponding option button.

Remember Pizza and Lego

Migrating workloads to the cloud is full of promise and opportunity, but organizations should understand what’s required in their slice of the cloud pie. Likewise, organizations should understand the best practices laid out in their provider’s frameworks to properly build on their foundational bricks.

Doing both will help avoid cloud misconfigurations and the consequences that come with these security gaps.

Brought to You by

What’s Hot on Infosecurity Magazine?