As a non-engineer working in tech, I’m always looking for analogies that make technical concepts more tangible for the other non-engineers in the room. It recently occurred to me that renting out one’s house on AirBnB produces surprisingly similar challenges to cloud-native security, and so here it goes:
Vacation rental houses are usually listed on major rental sites like AirBnB and VRBO amongst a sea of competition, often across multiple regions that wouldn’t historically have competed directly - “Whistler, Tahoe, Aspen? Which one has the most awesome house? Let’s go there!”
In this highly competitive environment with rental rates per night so high that owners can make a month’s worth of traditional longterm rent in a long holiday weekend, speed of responsiveness and “time-to-booking” amongst owners is pivotal to financial success.
But, in that race to close the bookings and seal the deal with prospective renters, speed reduces two key areas of control that owners have long relied on to maintain the security of their homes: 1) Identity verification and 2) Managing behaviors once verified users already have the keys.
15 years ago, houses would typically be rented via a property management company. Interested renters would contact the local vacation rental company, talk directly to a person about their needs, review options, agree to terms, and then show up at the office in-person to sign paperwork and pick up the keys. It made sense that human intervention was involved in validating a renter’s identity, instilling rules for appropriate behavior for keeping the home of a stranger intact, and maintaining an air of formality around consequences for breaches of trust. Everything about the experience was very tangible (and unscalable) in a way that online bookings today are not.
In the fast-paced, online world of today, almost no renter on the planet is willing to put up with a phone call and a visit in-person to pick up the keys to a vacation rental house. The culture has fundamentally shifted in favor of convenience for renters, and with it, identity has become harder to validate and enforce.
Take, for example, the process of sending a driver’s license photo on AirBnB. Software can now identify fake IDs better than, say, a liquor store owner next to a college campus, but what happens if the person making the booking and sharing their real ID isn’t actually the one renting the house? Let’s say it’s a parent making a booking on behalf of their college-aged child, helping out their son or daughter’s fraternity or sorority find a home for their 40-person winter ski extravaganza. The account may even have a decent prior rental history associated with that identity, and yet, that prior history does not preclude a new abuse of the system. The fact that all the new renter needs to access the house is a lockbox code, while property managers are only involved reactively after complaints from neighbors furthers the difficulty of preventing issues in this identity-sharing example.
The consequences for this lack of enforcement are real - there is a reason vacation rentals have been banned in quaint communities across the country, with poor renter behavior being one of several rallying cries against the concept that existed peacefully for decades before the speed, scale, and depersonalization of internet changed the game entirely.
How is this related to cloud-native security? Intentional misrepresentation of identity and sharing of identity amongst multiple members of a team are extremely common practices, and are more common than ever as teams are under pressure to deploy faster and faster.
Additionally, using the lockbox analogy, while some owners use new technology that changes access codes to their house with every renter, many are still using old lockboxes with codes that do not change with every new identity that is granted access. Each new person is given the same code, depending on an honor system (and the local sheriff) to prevent prior renters from showing up for a covert visit using the access code that they still have.
Similarly, in the cloud-native world, many legacy systems do not change access keys as API endpoints change. Shared API keys and access controls are extremely common when making calls between different interfaces, especially when you have reused software snippets to help you move fast. In most cases, the reused snippet doesn’t have built-in identity and authorization components, which makes it impossible to know who is actually making the calls, just as a shared lockbox code among friends makes it virtually impossible to know who actually has access to the keys.
There are lots of solutions in the works meant to reduce identity misrepresentation or sharing of identities, but what happens when the identity of the user is correct, completely accurate and kosher, but the other guests who are with them have strayed from their original intent or control, breaking rules and causing unanticipated damage?
Take, for example, some well-intentioned parents bringing their extended family to the ski house for a new years holiday. They can perhaps keep an eye on their three kids, four kids, five kids, plus their friends, cousins, and… their guests too? At some point, the sheer number of people bouncing around in the house starts to cause damage and create more risk. A broken lamp here, a clogged toilet there escalate into broken windows, bursted pipes, and overflowing hot tubs as the frenetic energy of more and more users, activities, and interactions starts to interplay and evolve into something totally unmanageable. While one would hope that the parents have a system in place to manage that and that the rental contract has a clause to help cover the cost of damages after the fact, the identity verification process doesn’t even touch this issue of managing behavior and adherence to rules once a renter has taken the keys and entered the house.
Similarly, in the cloud-native world, the number of services and API interactions has become totally unmanageable. A single user can’t police what is happening across thousands of events even if they want to, and with that volume of interactions, damage and security breaches are unavoidable. This is where limiting the access of unauthorized users so that the damage they can instill once inside the house (or cluster or data store) is limited, and why the parents should be able to give more or less access to the guests whom they trust the most. The helpful teenager should have more access than the toddler to the cupboards, and so too should the senior architect over a summer intern have more access to important prod clusters. Similarly, who should be allowed to open the door to new guests should be a role-based system, with trust applied to some who have earned it and not others. And often, depending on the system, no one but the primary role responsible should be allowed to open the door at all.
There are guardrails here and trust based on past behavior that are a useful starting point, but let’s say that some guests go unexpectedly berserk once the spirit of the apres ski takes hold. Tracking actions and violations of rules would allow real-time changes to access and risk posture based on real data instead of just the assumptions made going into the holiday. Similarly, real-time, real-world data needs to be tracked and analyzed to manage access controls and rules enforcement based on actual system, traffic, and user behavior rather than just assumptions made in staging before a production deployment. And luckily, while automatically tracking the activities of one’s children within a vacation rental home has uncomfortable social implications a la George Orwell’s 1984, such tracking and enforcement of access and security rules in a cloud-native stack has no dubious morality for anyone involved.
While the future of keeping pool tables from fraying and hot tubs from overflowing is hard for me to predict given the wide variety of variables baked into human behavior, I am excited that the right cloud security software can reduce the risks of services and APIs going berserk, even as the number of “guests,” invited and uninvited, continues to grow exponentially.