This article is part of our State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Deborah Blyth, Chief Information Security Officer, State of Colorado
JG: What is the state of cloud security today?
DB: Cloud systems and infrastructure can be very secure if configured appropriately, sometimes even more secure than on-premise systems. This is especially true when security practitioners work with their infrastructure and applications teams to ensure that the security strategy takes advantage of cloud-native security capabilities. Capabilities such as the creation and ongoing updating of a validated secure image and enforcing immutability can ensure that cloud infrastructure stays constantly up-to-date with current updates while preventing configuration drift.
JG: What are the most common challenges organizations face when it comes to cloud security today?
DB: One challenge that organizations face is that they are often implementing public cloud infrastructure without appropriate training and understanding of how it differs from on-premise infrastructure. For instance, forgetting to disable functionality being tested and test servers can cost the organization a lot of money! Implementing a cloud server with an external IP address may cause a security incident if not configured correctly.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
DB: It’s important to have awareness of what cloud services and systems exist within an organization. Different departments may be adopting cloud services that the security team isn’t aware of. When that occurs, these cloud services may not be secured appropriately, and may not have appropriate security language and requirements included in the contract. It is also critical to validate the configuration of cloud infrastructure – a misconfiguration could cause a disastrous security incident. Having visibility into, control over, and security for privileged accounts is extremely important in cloud systems. On-premise systems require an attacker to gain access to the environment prior to exploiting those privileged accounts, whereas cloud systems are often easily available for attackers to gain access, if privileged accounts are not managed and secure appropriately.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
DB: Implement a cloud security training plan to ensure all of your infrastructure teams and all of your security teams are well versed in cloud security. Require cloud security certifications for a percentage, if not all, of these employees. Utilize multi-factor authentication for privileged cloud accounts. Enforce the adoption of a standard image to ensure security is baked into every image.
JG: What’s the future of cloud security?
DB: Cloud-based systems have proven their value, since they can be accessed from anywhere, at any time, and from any device. This has been especially valuable during the COVID-19 response, since many organizations sent employees home, before having an opportunity to plan their remote access strategy! For our organization, we are looking at more adoption of cloud services and technology as a way to eliminate technical debt. With continued cloud adoption, cloud providers continue to improve cloud security capabilities. As security and infrastructure teams become more knowledgeable about cloud security and take advantage of cloud provider security functionality, cloud security will continue to improve.