FinOps 🤝 Security

Historically, a major challenge for security teams is perception as a cost center. Given the recent macroeconomic environment, companies have returned their attention to COGS and the bottom line. This presents an opportune moment for security teams to demonstrate their ability to impact the bottom line.

FinOps is the practice of bringing a financial accountability cultural change to the variable spend model of cloud, enabling distributed engineering and business teams to make trade-offs between speed, cost, and quality in their cloud architecture and investment decisions.

FinOps Foundation - What is FinOps?

In the cloud, FinOps can be initially neglected in favor of rapid growth. At scale, it is a dedicated function. In between, there are numerous opportunities for security to take on easy wins that not only address security risk, but also save the company money.

🤑 Steampipe’s AWS Thrifty mod offers a quick way to scan for FinOps opportunities. Their 18 benchmarks and 51 controls were a helpful resource in writing this article.

Minimization

The first mutual opportunity lies in minimization.

Data Minimization

The cloud billing model is based on consumption, so fundamentally the less data you store the less you pay. From a security perspective, minimization is a standard principle, as “they” can’t steal what you don’t have.

Tactical examples of data minimization opportunities with meaningful cost impact:

1. Delete unused S3 buckets and data. Standardize on a default lifecycle policy for buckets, to ensure data is not unnecessarily accumulated.
2. Delete unattached EBS Volumes
3. Cleanup Unused AMIs
4. Cleanup unused log streams (in case you couldn’t keep secrets out of logs)
5. Cleanup unused Secrets Manager secrets

Attack Surface Reduction

Many of these tactics are somewhat hygienic from a security perspective. However, addressing them is a way of resolving a “security smell” that might indicate other administrative or operational deficiencies.

1. Unused NAT Gateways (famously, one of the most expensive resources to be commonly left dangling)
2. Unused EIPs, but make sure you’re not opening yourself up to takeover
3. Long running EC2 instances, which complicate Patch Management for security and can indicate FinOps inefficiencies

Observability & Ownership

The biggest overlap in FinOps and Security is their reliance on observability and ownership. These are key in understanding what changes can safely be made to a system, and who your stakeholders are in making those changes.

Observability

Security often requires the additional of optional logging and auditing, which imposes cost. By working with FinOps, it can be easier to present a unified justification for the cost that also offers security benefit. Take S3 Access Logging: both a critical utility for incident response and validating breach impact, and also useful in identifying unused data for minimization. VPC Flow Logs are another case, where they are a useful source of security data that can also highlight architectural flaws that are driving excess traffic (and therefor cost).

Monitoring for surprising cost changes is another class of mutually beneficial observability. While it is a common FinOps responsibility, cost anomaly monitoring is often the best late warning signal of a successfully deployed cryptominer in your environment. Security relevant cost anomalies also could involve new services or new regions, in addition to spikes in cost and usage. Historical cost data can also be useful in forensic investigations. It can be used to reconstruct attack timelines, and even identify the scope of impact based on data transfer volumes.

Ownership

FinOps’ focus on “financial accountability” offers one of the best opportunities to improve issues with tagging and ownership in your environment. Tagging resources provides useful context for security automation, like the sensitivity classification of the data associated with a resource, while also serving as a core prerequisite for ABAC. For FinOps, these tags allow you to attribute costs effectively. Ownership establishment also offers a great chance to identify orphaned resources, which are undesirable from both perspectives.

Architecture

All architecture is fundamentally about cost, and all cloud cost is fundamentally about architecture.

Corey Quinn - The Key to Unlock the AWS Billing Puzzle is Architecture

Architectural changes are the most intensive FinOps-cum-Security opportunity. Two of the common improvements to security and risk include:

1. Reducing state: minimizing state allows you improved access to spot instances and improve your scaling flexibility. From a security perspective, stateless applications remove entire vulnerability classes.
2. Using VPC Endpoints, ensuring traffic from the VPC to other AWS services like S3 or DynamoDB does not leave the Amazon network. VPC endpoints can be 80% cheaper than using a NAT gateway. At the same time, they’re a core component of establishing a data perimeter.

Thank you to Houston Hopkins, who helped me develop this set of tactics, and often pontificates on the links between cloud security and FinOps.