Cloud and Hosting12.07.2024

Complexity is the enemy of security

Orange Cyberdefense’s managing director for South Africa, Dominic White, said one of the greatest security risks in cloud systems and services is their complexity.

“Complexity is the enemy of security,” White said during his presentation at the MyBroadband Cloud & Security Conference 2024.

He referred back to his first talk at a MyBroadband Cloud and Security Conference in 2016, where he discussed three opportunities cloud technology held to improve security online.

These included re-engineering the stack, using immutable, disposable servers, and centralising and scaling security efforts.

He joked that the subtitle of his 2024 talk is, “Well… that didn’t work.” The high level of complexity in cloud platforms has worked against efforts to improve security.

White illustrated the depth of the issue with a recent security incident that Microsoft disclosed involving one of the least complex elements of cloud technology — storage buckets.

This is significant, considering that Microsoft Azure is a hyperscaler, one of the largest cloud platforms in the world.

White explained that Microsoft had accidentally exposed passwords, keys, and credentials of Microsoft employees to the open Internet through a misconfigured storage bucket.

Researchers at SOCRadar discovered that the Azure-hosted server storing sensitive data linked to the Bing search engine was left without password protection, making it accessible to anyone online.

“This is the simplest part of the cloud. It’s a storage bucket where you put stuff,” said White.

“They are making those mistakes in a simple thing. Can you imagine who else is making mistakes in the sprawling complexity and how long those mistakes are going to persist?”

However, White said it’s not hopeless. There are strategies organisations can implement to tackle the security challenges presented by cloud technology.

He presented a model companies should think about when tackling cloud security.

White summarised it in three aspects: Exposure, Access, and Movement.

He explained that the basic principles are to think carefully about which services and features you enable or leave enabled by default.

“Turning stuff off is an underrated security feature,” White said.

He also said it’s important to consider what happens when credentials are compromised.

White likened it to building the most impenetrable security for your house. Yet, if you go to the shops and someone steals your car with your house keys in it, your home is vulnerable.

He also said that it is important to consider the humans use a service and design systems in a way that makes it easy for them to maintain good security practices.

Another important aspect to consider is how easy it might be for an attacker to move through a systems if they gain entry to one area.

White was a presenter at the 2024 MyBroadband Cloud & Security Conference, held at The Venue, Melrose Arch, on Thursday, 11 July 2024.

He is one of the best-known and most respected figures in South Africa’s cybersecurity and cloud security space.

As Orange Cyberdefense’s managing director for South Africa, White is responsible for overseeing Orange Cyberdefense’s operations in the country.

He also serves as the company’s ethical hacking director, and in this capacity, he is responsible for bringing the ethical hacking community at Orange Cyberdefense together globally.

White was the chief technology officer for SensePost, which rebranded to Orange Cyberdefense in 2020. Before that, he was a security and privacy services manager at Deloitte.

Orange Cyberdefense provides expertise to help customers understand problems and architect solutions.

White holds a Master of Science in Computer Science from Rhodes University.

From a young age, he showed an interest in computer science and security, setting up a firewall to block the school’s monitoring tools so he and his friends could play Quake during computer science classes.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter