Michael Bargury

Security research, hacking, AppSec, primarily focused on AI agents.

8 minute read

The Edge Logo

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Seizing Control of the Cloud Security Cockpit

Much like an airplane’s dashboard, configurations are the way we control cloud applications and SaaS tools. It’s also the entry point for too many security threats. Here are some ideas for making the configuration process more secure.

Picture of Michael Bargury

Michael Bargury, CTO & Co-Founder, Zenity

May 23, 2024

3 Min Read

Airbus A380 cockpit, full of dials and controls and computers and joysticks

Source: JLBvdWOLF via Alamy Stock Photo

LinkedinFacebookTwitterRedditEmail

The image of a cockpit always struck me as overwhelming. So many knobs and whistles of different shapes and sizes. Do pilots really need all those options at arm’s length? On every flight? And how do they verify that they’re all in the right position before takeoff?

Today’s enterprises have tens of millions of these — or, rather, their digital equivalent: configuration. The cloud and software as a service (SaaS) are now ubiquitous, and they brought with them countless choices to make. Unlike aircraft, we do not have standards and procedures to ensure each and every toggle is switched to the right position. It is no wonder that misconfiguration continues to be the most dominant reason for cloud security issues.

Opaque Configurations

Commercial aircraft have thorough manuals that detail the function and implications of each and every toggle in that cockpit. For cloud and SaaS, you’ll typically find a one-line explanation hidden on an obscure documentation page. If you’re lucky, that short snippet is meaningful and still up to date. In most cases, however, you aren’t that lucky — the docs were written three years ago and the service is now widely different. Entire companies are built on the premise of having a team of experts to figure out what these toggles do. They reverse-engineer, poke around, and brute-force their way to capture the meaning of each configuration.

In the SaaS and platform-as-a-service (PaaS) worlds, things become even worse. You never really have a full understanding of how things are built under the hood, so building an intuition about which knob does what becomes a guessing game.

Distributed Choice

A cockpit is managed by the captain and first officer, two highly trained professionals with well-defined responsibilities. They are sometimes backed up by the flight engineer, a well-oiled human machine who triple-checks that everything is in order. For cloud and SaaS, it’s the Wild West. People across the enterprise make configuration choices every day — or, worse, fail to make them and leave an insecure default on.

It’s not just your cloud developers and SaaS admins, even though they have received most of the attention. Business users are making those choices, too. They leverage low-code/no-code to build and customize their business processes, making configuration choices by the dozens as they go.

Security teams have this problem, too. Can you really say your security stack is 100% optimized and correctly configured? How many incidents could have been prevented by a technology deployed in audit mode rather than enforcement mode?

Constant Change

Imagine what would happen if the cockpit changed its toggles — their functionality, their implications, or just their appearance — every quarter. Now imagine it changes multiple times a day.

Continuous delivery is the holy grail of enterprise cloud and SaaS companies hoping to move fast. We have given permission to vendors to change their offerings under the hood as much and as fast as they can. This is a good thing, mostly, because this is how excellent software gets built. However, applying that same principle to the user interface means configuration can change at an alarming rate. The meaning of an existing configuration could change as well, making it much more difficult to understand what’s going on.

Even if configuration options are the same, the enterprise environment is ever-evolving. SaaS and cloud resources are connected in different ways. They hold different data subject to different sets of regulations. Risk decisions adapt as the threat landscape changes.

It’s Time for Standards

Public pressure in recent years has forced big vendors to change their insecure default, which helps put us all in a better position. S3 buckets are now shut off from the Internet by default. So are Copilot bots built with Microsoft’s Copilot Studio.

Some cloud and SaaS platforms have started publishing recommended configurations for a secure deployment. CISA and other organizations have put out excellent recommendations to follow.

These are, however, all dispersed efforts. Working together through industry standards might be what is needed to finally make a real impact in reducing the ever-growing risk of misconfiguration.

LinkedinFacebookTwitterRedditEmail

About the Author

Michael Bargury

Michael Bargury

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

See more from Michael Bargury

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

More Webinars

Events

More Events

You May Also Like

Edge Picks

thumbnail Cyber Risk

Browser Extensions Pose Heightened, but Manageable, Security Risks Browser Extensions Pose Heightened, but Manageable, Security Risks

URL bar of a browser showing part of a website address Endpoint Security

Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028 Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028

Icons for Chrome, Edge, and Firefox browsers on a screen Endpoint Security

ClickFix Spin-Off Attack Bypasses Key Browser Safeguards ClickFix Spin-Off Attack Bypasses Key Browser Safeguards

Stream of 0s and 1s running alongside padlock icons Endpoint Security

Extension Poisoning Campaign Highlights Gaps in Browser Security Extension Poisoning Campaign Highlights Gaps in Browser Security

Latest Articles in The Edge

5 Min Read

5 Min Read

6 Min Read

2 Min Read

Read More The Edge

Cookies Button

About Cookies On This Site

We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. By clicking “Continue” or continuing to browse our site you are agreeing to our and our partners use of cookies. For more information see Privacy Policy

CONTINUE

Company Logo

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

More information

Allow All

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

Always Active

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Functional Cookies

Always Active

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.    If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

Always Active

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Back Button

Search Icon

Filter Icon

Clear

checkbox labellabel

ApplyCancel

ConsentLeg.Interest

checkbox labellabel

checkbox labellabel

checkbox labellabel

Confirm My Choices

Powered by Onetrust

Updated:

You May Also Enjoy