On Monday of last week, Capital One announced a data breach affecting an estimated 106 million Credit card customers and applicants. This is one of the largest Data breaches experienced by a large bank. One noteworthy point is that this cyber theft was conducted against data stored in the cloud-hosted by Amazon Web Services. In the past, most cyber intrusions have been conducted against a corporate data center.
Capital One is just one of the many companies that have migrated to cloud services technology to improve performance, deliver software enhancements, and reduce costs by closing down dedicated data centers. But, the heightened complexity and interdependency of applications deployed in the cloud has also introduced some new exposures and vulnerabilities.
While attending the RSA conference in San Francisco this year, I had an opportunity to meet with John Dickson of the Denim Group. John explained how the migration to the cloud-based infrastructure is a completely new concept verses, how apps were developed five years ago. He also discusses the approach used to create cloud applications known as continuous integration, continuous deployment, or CICD. The sheer complexity of the many moving parts in this technology can lead to simple missteps in security, leading to a data breach.
The Cloud Hack at Capital One
Glossary of terms and acronyms used in the podcast
S3 Bucket – An Amazon S3 bucket is a public cloud storage resource available in Amazon Web Services’ (AWS) Simple Storage Service (S3), an object storage offering. Amazon S3 buckets, which are similar to file folders, store objects, which consist of data and its descriptive metadata.
CI/CD – Continuous Integration/Continuous Deployment
SDLC – Software Development Life Cycle
OPSEC – Operations Security
CISO – Chief Information Security Officer
DevOps is the union of people, process, and technology to enable continuous delivery of value to customers. DevOps, a compound of dev (development) and ops (operations), is a software development practice that unifies development and IT operations. The meaning signifies coordination and collaboration among formerly siloed disciplines. Quality engineering and security teams also become part of the broader team in the DevOps model.
DevOps includes core practices such as planning and tracking, development, build and test, delivery, and monitoring and operations. These practices, along with DevOps tools and technologies, help automate the application lifecycle. Processes that used to be manual and slow for your teams—like updating code or provisioning a new environment—you can do quickly and continuously when you use DevOps tooling and practices. In addition, it’s easier to meet standards for security and reliability because those considerations are built in to the process.
Cloud services is a broad set of software, storage, and network services made available to companies on a usage fee basis. Amazon web services, Microsoft Azure and Google Cloud Computer Services are the big three providers. An S3 bucket mentioned in the prior quote is an Amazon Web services folder. Amazon web services is also referred to as AWS.
Another term used throughout the conversation is microservices, I found this definition at the OpenSource.com website:
The central idea behind microservices is that some types of applications become easier to build and maintain when they are broken down into smaller pieces which work together. Each component is continuously developed and separately maintained, and the application is then simply the sum of its constituent components. This is in contrast to a traditional, “monolithic” application where all of the software is developed in one piece of code.
CI/CD refers to the concept of Continuous Integration – Continuous Deployment Under CICD procedures, once a developer completes an update to a software component, there is an automated process to create a software build with the new component, subject the component and build to automated testing, and when those tests have been completed, schedule and post the update to the live production systems.