Avoiding automation
Many organizations execute processes in the cloud manually, including installation processes, configuring virtual servers, setting up a network, storage volumes, or other cloud resources. Manual processes are time-consuming, error-prone, and hard to scale.
Automation encompasses solutions and tools that help eliminate repetitive aspects managed by one or more manual processes in the cloud. Cloud automation can increase security and the efficiency of workflows and tasks in the cloud. Automating routine security tasks will mitigate the majority of the manual risks presented by human error.
An IT auditor should examine if the organization utilizes automation within its cloud environments. One popular way to implement cloud automation is by using infrastructure as code (IaC). IaC is a process of creating cloud infrastructure through templates defined by code. Once developed, IaC becomes the building blocks for creating compute, storage, networking, and security policy in a cloud environment.
Misconfiguration
The cloud is still a novel concept and many organizations are unfamiliar with securing cloud infrastructure. As a result, it is easy for a security oversight to leave an organization’s cloud-based resources exposed to attackers. An example of a misconfiguration is mistakenly making a cloud-based repository public when you meant to make it private. This makes the repository accessible to anyone on the internet. Tools exist specifically for searching the internet for these unsecured cloud deployments.
To address cloud misconfiguration, the IT auditor should evaluate if the organization scans and reviews its cloud workloads for common vulnerabilities, such as exposed access points, resources labeled as public, and so on. This can be done by using cloud security posture management tools. Cloud security posture management tools are automated solutions that identify misconfiguration issues and compliance risks in cloud environments.
The inadvertent exposure of credentials
Credentials are the keys used to access cloud services. Credentials include user credentials, passwords, access keys, encryption, and decryption keys among others.
Software developers with poor security practices often embed credentials into their code to save time during the code development process. The code containing the credentials may then be uploaded into a public repository service. This can be considered the same as closing the entrance door of a house and forgetting the key in the lock: this is the most straightforward and obvious way to cause a data breach. Tools exist that enable adversaries to find credentials in public cloud accounts.
The IT auditor should examine whether the organization has enforced secure coding standards, along with a secrets management strategy. This is to ensure that software developers code their applications securely, minimizing any vulnerabilities that may be exploited.