This article is part of our State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Ilia Sotnikov, VP of Product Management at Netwrix.
JG: What’s the state of cloud security?
IS: Cybersecurity overall is still a relatively new field, and the professional community still needs to turn it from art into science. Cloud security is probably one of the youngest disciplines within cybersecurity space, so nothing is a given. Market analysts are trying to define the segments of cloud security, IT execs are complaining about shortage of expertise in the job market, and security professionals are wrapping their heads around constantly changing offerings from cloud service providers. The speed of changes from any single major CSP like Amazon, Google, or Microsoft is challenging for the security teams to keep up with. As you learn to secure the existing cloud workloads, the business wants to start leveraging a new API or new platform capabilities that would change the attack surface. On top of that, the majority of the companies live in a more complex hybrid multi-cloud environment, many have critical parts of the infrastructure still running in a data center on premises. All of this creates a unique set of challenges: security teams have to find at least some consistency across controls available from different CSP’s; constantly learn and adapt to the changing environment; and stay on top of the technology news to understand what the next marketing buzzword is worth in reality.
Of course, the attackers look for ways to take advantage of this situation. As more and more companies move their data and workloads to the cloud, the rate of attacks on cloud infrastructure is also increasing.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
IS: March 2020 was the turning point for a lot of companies that had to move staff to work from their homes almost overnight. The need for data and services availability drove increased adoption of various cloud applications. The IT and security teams did not have much time to learn how to configure and secure these platforms. The uncertainty of the business environment often added budget or stuff cuts, which obviously did not help to make this rushed digital transformation more secure. That said, the pandemic did not really introduce anything new, all the trends had been there before and were just accelerated by this crisis. Companies that had started to plan for zero trust networking were much faster to adapt to the new reality and did this more securely.
My main takeaways are:
- Watch the trends and stay on top of technology news. You don’t have to be on the edge of every new technology, but some level of understanding and preliminary thinking (if not planning) will help when the world events force you to accelerate.
- Understand the business processes and data flows. What do you have and what’s most valuable for the company? This will be a huge help when you find yourself with scarce resources and need to prioritize tasks under pressure.
- Try to come up with consistent and technology-independent security policies. Every new platform will introduce new terminology and new tools, but security fundamentals remain the same. In the simplest possible form, a technology-agnostic checklist of controls will ensure nothing falls through the cracks as you have to work across multiple cloud and on-prem systems.
JG: What are the most common challenges organizations face when it comes to cloud security today?
IS: According to 2021 Netwrix Cloud Data Security Report, the top challenges when it comes to data security in the cloud were lack of IT staff (52%), lack of budget (47%) and lack of cloud security expertise (44%). Employee negligence was named by 38% of respondents, but just 17% chose malicious actions of insiders as an issue. This finding reflects reality, since only 10% of organizations reported data theft by employees. One in four respondents said that business executives put pressure on the IT team to drive rapid digital transformation or growth to the detriment of data security. This problem is especially critical for CISOs — 48% note that the business’s desire for growth hinders efforts to ensure data security in the cloud.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
IS: Evaluate your supply chain. Supply chain compromises are increasingly threatening. Incidents that included supply chain compromise had the most impact on organizations; they were more likely to result in compliance fines, decrease in new sales, change in senior leadership and even lawsuits than any other incident types. To avoid these consequences, organizations should reduce risks via network segmentation and continuous auditing for malicious activity. Also, it is safe to ask all technology partners to prove they take every necessary security measure, including third-party audits, and limit your liability through contracts that make them accountable in the event of a breach.
Employ security automation or leverage outsourcing to escape “new day, new breach reality”. Lack of staff, financial resources and expertise can be offset by automating routine IT tasks. This is even more critical with more IT and security administrators working remotely and requiring more time to address other critical issues. Limited resources can also be tackled by outsourcing critical security tasks to managed security services providers (MSSPs) who can apply security best practices and field proven processes to ensure your data is protected from threat actors and new breaches.
Think of the future, not just today. To apply adaptive security practices that address real and present risks, organizations should think about the immediate impact as well as the long-term consequences threats and vulnerabilities can pose. It is not sensible to think only of the immediate unplanned expenses and compliance fines of a potential breach. There are many, more severe outcomes that can affect your organization, including loss of reputation and consumer trust. Assessing your security risks needs to account for all aspects of a potential loss.
JG: What’s the future of cloud security?
IS: I think the industry will move towards more standardization and interoperability. Organizations like ISO and NIST, vendor alliances, and professional communities are all contributing to this process. This trend should also help to create security education programs that will allow new graduates to learn the fundamentals. On the other hand, the evolution of cloud technology is not going to slow down. You can expect the environments will only grow in size and complexity, with more moving parts, like various internet-connected sensors and devices. Threat landscape is also going to evolve and adapt, looking for more ways to monetize breaches. Security teams should keep up with the change, investing enough time and money in on-the-job trainings.