Cloud Development Environments Reduce The Risk of a Breach
Traditional development workflows where a developer writes code on their laptop introduce significant risk that is mitigated when you move to remote development based in the cloud.
In cybersecurity, we think about various threat models to help understand how we should build tooling and mitigations to prevent those threat models — threat models and the process of threat modeling involves iterating through potential threats/risks/vulnerabilities that could occur and what the potential repercussions would be for each of the identified threats. As you can imagine, these come in many variations depending on the situation and tools you are considering.
The most substantial risk results in a data breach for a company — an exposure of sensitive data that resulted from a security vulnerability.
Developer Workstations #
When we think about software engineers and what types of risks can arise from writing code, securing a developer’s laptop is a primary concern — many breaches have resulted from an insecure developer machine being used to expose source code, or as a basis for accessing production resources.
Almost always, an attacker gains access to a developer’s laptop by convincing them to download something they shouldn’t and execute it — this can come in several different mechanisms:
- phishing emails that prompt developers to download something they shouldn’t.
- free plug-ins or programs that the developer downloads to solve some problems.
- open-source libraries that a developer uses to solve some problem.
Attack Methodology #
Once an attacker has a foothold on the developer’s laptop, they exploit a developer’s access to various resources, for example:
- use a developer’s access to source code to steal intellectual property or secrets.
- use a developer’s access to various production databases or networks to access sensitive company data.
Cloud Development is The Solution #
If we change the developer’s workflow from local development on a laptop to remote development in the cloud, we eliminate a large portion of the attack surface by:
- short authentication windows to the cloud — an attacker with access to a developer laptop no longer has unfettered access because we shorten the window of exposure.
- the remote development environment is sandboxed from a developer’s laptop — all the random things a developer downloads on their laptop no longer have direct exposure to the remote development environment.
- detection of attacker is easier — on a developer laptop, we’re limited to how much CPU and memory we can use to do security analysis which would allow us to detect and respond when something goes wrong. With cloud based environments, we can scale computer and memory to our needs whenever we need.
- engineering, developer, cloud development, security, breach