Does cloud automation create new vulnerabilities for the enterprise?

Robust ICT infrastructure has been key in supporting the growth of the cloud market in Hong Kong. The Hong Kong SAR Government has taken the lead in cloud adoption, by implementing several measures to protect itself as it moves to the cloud.

According to recent research from Forrester, 62% of companies in Hong Kong and Singapore are either partly embracing cloud solutions. Particularly in the banking and finance sector, there has been a growing adoption of cloud services to support non-critical applications such as business collaboration tools to enhance the client relationship experience.

While cloud automation can help organizations become significantly more agile and improve security, it can also expand the enterprise attack surface, creating new vulnerabilities and risks in what becomes an increasingly dynamic and complex environment. It’s important to understand and address the vulnerabilities that can come with automation.

Common drivers for cloud adoption in APAC

Asian economies are leading the world in cloud readiness today, with Hong Kong (#1) and Singapore (#2) ranked ahead of their western counterparts such as United Kingdom (#3) and the United States (#5).

Three of the most common drivers for cloud adoption include cost savings and efficiency, access to on-demand computing, and increased agility.

To achieve cost savings, some enterprises take a “forklift approach” and simply move their apps from their on-premises data center to the cloud – and shut their data centers. In this scenario the enterprise does not take full advantage of the dynamic capabilities offered by cloud computing, and consequently, requires only minimal automation. To achieve much greater efficiency, organizations need to re-architect and replace applications, rather than simply move them. This agility requires a high level of automation, which is noted in the third scenario below.

It’s increasingly common that enterprises want access to on-demand computing. This provides rapid access to significant computing capacity, such as for big data and analytics. To achieve this, application instances are created instantly to meet the demands of the business. It’s automation that makes this possible, assigning and securing the required credentials and privileges when each new instance is created.

The third scenario is all about agility — enabling the enterprise to more rapidly develop and deploy applications to better support customers and evolving market needs. As development practices such as Continuous Integration, Continuous Delivery (CI/CD) pipelines, and DevOps are adopted, developers also leverage orchestration and automation tools to speed software development and deployment. Enterprises with robust CI/CD pipelines may do multiple and potentially dozens of code deployments each day using automated processes and tools. Clearly, automation is critical in this scenario.

Potential vulnerabilities expand with automation

Across each of these scenarios, the level of automation required increases. It’s important to understand some of the core vulnerabilities and risks that need to be addressed to protect an organization’s cloud environment.

Regardless of the primary driver for cloud adoption or the level of automation, every organization needs to protect privileged accounts and credentials and access rights for their cloud management consoles.  The consoles are very powerful, and they are used by both humans and automated scripts. Consequently, the console is vulnerable to phishing attacks and is a common entry point for attackers. Additionally, all organisations will need to secure the privileged credentials used to manage the enterprise’s cloud-based infrastructure, including the operating system, database and other resources, as well as any embedded static application credentials.

With on-demand computing, there are additional vulnerabilities to protect. These include, for example, any dynamically assigned application credentials, API keys, and cloud secrets as well as the privileged credentials established when new application instances are created with auto scaling or other orchestration tools. When each new instance is created with auto scaling, it will need privileges to access other applications and resources, and this access must be automatically secured.

In the market agility scenario, not only must the vulnerabilities and risks described in the earlier examples be protected, but also the privileged credentials and secrets associated with the CI/CD pipeline, including all the administrative consoles for orchestration and other tools. And the trust relationships must be fully automated by automatically storing, retrieving and managing secrets and credentials across the pipeline.

In summary, as the level of automation increases, the vulnerabilities and attack surface also increases. Consequently, it is important that organizations are aware of and defend against the vulnerabilities that can come with automation.

No matter where you are in your enterprise’s cloud journey or the level of automation you are using, you will need to implement robust privileged account security policies to protect your cloud assets.

Chris Smith is lead product marketing at CyberArk