Cloud infrastructure vendors currently rely on customers to implement secure configurations, controls, and policies and this results in our infrastructure being ill-configured and insecure by default. The cloud offers advantages in terms of availability and scalability, but the technical complexity of configuring and securing it is beyond the capacity of most organizations, even mature ones. Sane security options must be enabled and maintained on a continual basis or are only available as a separate service, if customers are even aware of them at all.
In a recently published paper “Improving the world’s cyber resilience, at scale. Implementing baseline security by default.” Freddy Dezeure, Prof. Lokke Moerel and Dr. George Webster call upon the main cloud providers to unburden their user organizations of the many duplicative efforts of verifying, implementing, and maintaining recommended security baselines by implementing these by default across their customers’ infrastructure. This would go beyond what is traditionally understood as product security because it extends to implementing and maintaining controls in the user environment. It also extends the security by default concept beyond the initial configuration of a product, taking into account the requirements of an evolving threat landscape.
