Last weeks successful attack against Code Spaces, an up and coming IaaS provider for the DEVOPS community, is yet another example to all of us about the importance of securing our environments as we move workloads to the cloud. As I read the stark account of what happened I had an overwhelming sense of empathy for the folks at Code Spaces. While you can argue that they should have taken more care to protect their environment it is still unfortunate to see a company taken down by an attack. I can’t imagine how awful that day must have been, but maybe it went something like this…
…It is a typical Tuesday morning; you arrive at the office thinking about the projects you want to get done today. You grab your morning coffee and sit down to begin your day. You attempt to access your cloud environment but something is wrong, very very wrong. You have been compromised. Your customer data, your environment has been kidnapped. You huddle with your management team trying to figure out what to do.
One of your colleagues calls the team over to his computer and tells everyone it is much worse that you think. Not only has your environment been hijacked, the attacker has fortified his position to ensure that there is no way for you to gain access. When you try he will know. He will start destroying your data. Your team valiantly tries to wrestle control back and somehow finally gets back in. What you find is a disaster. Backups deleted, machines gone, customer data in rubble. In the space of 12 short hours your world has been turned upside down and your up and coming company is gone, never to recover.
For those of us in the IT industry this is a true horror story. Over time I am sure the employees of Code Spaces will move on to other companies and more than likely next week another company will be in the crosshairs of the media trying to explain how they were compromised, but before we bid adieu to Code Spaces here are three lessons we can learn from this devastating compromise:
Security in the cloud is a shared responsibility A couple of week’s back I wrote about security being a team effort. The context of that discussion revolved around the relationship IT and the employee, driving home the need for everyone to pull their weight regarding security. This “team” concept also extends to the cloud. When we move workloads into the cloud we are partnering with a cloud provider. The cloud provider will ensure you some level of security for the infrastructure, however securing your specific environment and data is your responsibility. Just like snowflakes though, every cloud provider is going to be slightly different when it comes to where the security dividing line is drawn. It is your responsibility to make sure you know where you need to pick up the ball regarding security.
Don’t put all your eggs in one basket. Regardless of where our workloads are, the cloud or on-premises, we have to make sure we can recover if the unexpected happens. Have a back up plan, and a back up plan for your back up plan. As Winston Churchill said, “He who fails to plan is planning to fail”. The important aspects of your backup plan is that it is allows you to recover quickly, can be initiated at a moments notice, and is separate from your production environment. It’s not exciting and not something you would highlight on your resume but spend the time developing a backup plan now, when you don’t need it. You will be glad you did.
Don’t let success distract you from the fundamentals Recently I stumbled upon several documentaries about climbing Mt. Everest, the tallest mountain in the world. While I have never climbed a mountain and would probably not last a day in the awful conditions these climbers face I am fascinated by the process and preparation that goes into climbing the worlds tallest peaks. You might think the most dangerous part of climbing Mt. Everest would be the ascent to the summit but in fact the vast majority of accidents occur on the descent. The reason most of the climbers give for this phenomenon is that after the excitements of reaching the goal of summiting climbers relax, they lose focus, and that’s when accidents can happen. As our companies grow and we “summit” in our respective markets we have to be sure we do not lose focus on the fundamentals. Whether on-boarding new employees, expanding our infrastructure, or moving workloads into the cloud the first thing we should do is make sure that we are maintain a consistent security posture. If you feel you are not able to keep up with the fast paced growth yourself look to partner with someone who can help.
It is truly a shame to see an up and coming organization be wiped off the map due to an attack. We should all take this as a warning and take steps to make sure we don’t suffer the same fate.