Former U.S. Navy SEAL officers Jocko Willink and Leif Babin describe a principle they call <\/span>Default: Aggressive<\/span><\/a>, a \u201cconfident, independent and proactive default approach to real-time challenges.\u201d Unit 42, the Palo Alto Networks global threat intelligence team, recently reported that 65% of publicly disclosed cloud security incidents are the result of misconfigurations. Here\u2019s how organizations can address these issues by taking a Default: Aggressive stance with their cloud configurations.<\/span><\/p>\n <\/p>\n Plan Like a SEAL and Expect the Worst\u00a0<\/b><\/p>\n Earlier this year we released our <\/span>Big Cloud 5<\/span><\/a> security framework, which includes five practical steps for getting <\/span>cloud security<\/span><\/a> right. The second step in the process is to automatically prevent the most serious cloud misconfigurations. Just as guardrails along a highway prevent vehicles from running off the road into dangerous territory, proactive security measures can discourage users from straying into misconfigurations that expose an organization to unnecessary risk. This step is significant because it encourages security teams to transform their thought processes from defensive to proactive.\u00a0<\/span><\/p>\n Organizations can avoid opening themselves up to cloud security incidents by automatically identifying \u201canti-patterns\u201d \u2013 negative, preventable situations \u2013 and then remediating them automatically as well. Through the Default: Aggressive approach to cloud security, organizations can protect themselves responsibly, and dramatically decrease the share of cloud security incidents that can be attributed to misconfigurations. But what does this actually look like in practice?<\/span><\/p>\n Proactive = Doing the Small Things Right<\/b><\/p>\n One way to accomplish Default: Aggressive cloud security is through <\/span>infrastructure as code<\/span><\/a> (IaC), automating the process of managing an application\u2019s underlying tech stack rather than approaching the same task through often error-prone, manual configuration. If your organization is using cloud, IaC is a must. IaC may be trending as a buzzword, but that\u2019s for good reason. It offers powerful security and quality benefits.\u00a0<\/span><\/p>\n First, it forces organizations to document, in code, what a cloud environment will look like and minimizes how many human hands are manually clicking around creating new systems and networks. Second, it allows cloud configurations to be <\/span>scanned for security issues<\/span><\/a> prior to deployment. While an organizational move to IaC can\u2019t be achieved overnight, its benefits far outweigh the risks of manually operating cloud environments.<\/span><\/p>\n The Default: Aggressive mindset means not waiting for threats before taking action. Organizations can make the decision to move away from reactive production security scanning to building security quality into the entire software development lifecycle. In his 1986 book, \u201cOut of the Crisis,\u201d <\/span>W. Edwards Deming<\/span><\/a>, the godfather of total quality management, wrote, \u201cCease dependence on inspection to achieve quality. Eliminate the need for massive inspection by building quality into the product in the first place.\u201d This attitude embodies the core of Default: Aggressive security. By moving security to the earliest possible point in the development process, an organization also fulfills another modern principle: <\/span>shift-left security<\/span><\/a>.<\/span><\/p>\n Default: Aggressive cloud security also calls for strenuously enforcing automated software quality guardrails. Practically speaking, this means starting with a minimum viable product (MVP) shortlist of misconfigurations to eliminate. Examples include configurations such as firewall rules that allow traffic from the entire internet (0.0.0.0\/0) on FTP, MongoDB, MySQL, Oracle, Postgres, RDP and SSH ports. Also include in your initial list things like databases not being encrypted, storage buckets being open to the public, or identity and access management policies that allow assuming role permissions across all services. Configurations like this should likely never exist in your cloud environments.\u00a0<\/span><\/p>\n <\/p>\n Default: Aggressive Security Wins<\/b><\/p>\n Navy SEALs methodically plan out missions, attempting to account for as many variables as possible. How we approach cloud security should be no different. Default: Aggressive security allows us to automate away problems that trip up many cloud consumers. A great place to start implementing the mindset is Unit 42\u2019s recent cloud risk report<\/a>. Use this research to help form the basis of anti-patterns to proactively defend against. Doing so will put you ahead of the vast majority of your peers, demonstrably reduce your organization's share of cloud incidents, and place you in an elite category \u2013 just like a SEAL.<\/p>\n","protected":false},"excerpt":{"rendered":" It\u2019s time for organizations to face the challenges of cloud security with the mindset of a U.S. Navy SEAL special operations force.<\/p>\n","protected":false},"author":623,"featured_media":102142,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768],"tags":[3967,1166],"coauthors":[6679],"class_list":["post-102138","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","tag-best-practices","tag-cloud-security"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/09\/boat-647049_1920.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/102138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/623"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=102138"}],"version-history":[{"count":13,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/102138\/revisions"}],"predecessor-version":[{"id":326329,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/102138\/revisions\/326329"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/102142"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=102138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=102138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=102138"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=102138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"The](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/05\/The-Big-Cloud-5.png\")
<\/span><\/div><\/p>\n