What’s the biggest challenge you face when it comes to cloud configuration management?
Sort by:
While cloud offers lots of benefits, it’s also extremely hard to manage and do well. It’s a huge opportunity for new innovative companies, but the challenge is there's no one-size-fits-all solution. Every company, every individual, every team is trying to solve this to the best of their ability, and so far I haven't seen anyone do it well, including myself. A lot of companies are coming up with point solutions and have done a good job of developing them around cloud configuration management, doing discovery audits, looking at those configurations and mapping them to best practices, whether they’re NIST or CIS controls, and flagging when things are not aligned.
What it's coming down to is you pick something as simple as Office 365 or Microsoft 365 and there are 7,500 settings that you can configure. Of the 7,500, 2,500 are related to cybersecurity or security settings. How do you manage that?
I don't think the folks at Microsoft built that with the intention of it actually being used by Office 365 administrators. It's supposed to be done by information security professionals yet it's not actually segregated on the admin panel. So you have all of these administrators who think they know what they're doing setting these configuration settings. And until somebody comes along from an audit perspective, nobody actually knows that they've been set incorrectly. It’s a great example of how confusing it can get for everybody involved.
I do lots of work on edge infrastructure that's being rolled out now to get compute proximity close to the user. There's a massive amount of investment into edge, but how many vectors come out of that? How many devices? And what is the policy? How do you manage that environment? Because it doesn't matter if it's cloud on the edge or if it's going to be core cloud. It’s all the same kind of problem but multiplied times how many nodes. We’re going to have 100 billion devices online by 2030, and there will be over a trillion sensors behind all that.
That's why I'm not focused on all the vectors, it's huge. It made me look at my own stuff and say, "We have hardware that we're deploying in here to do virtualization of power inside of mechanical and electrical systems. How secure are we? Are we adding vulnerabilities into our own customers base by rolling this in?” Because if they can get into 1 power distribution unit (PDU) in that rack, 1 compromise in SNMPv3, and your enterprise systems are open because that's the breach that was happening, with Target and all the others.