This article is part of our State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Keatron Evans, Principal Security Researcher and Instructor, Infosec
JG: What is the state of cloud security today?
KE: The current state of cloud security is that it is still very much in its infancy. Many organizations are still struggling with how to attain the same levels of security they had in their traditional on-premise environments in their new cloud environments. There are entire layers of security and visibility that have been lost as generally the entire “physical layer,” which includes cables and network hardware, are only visible and accessible by the cloud service providers. Security architects have had to become cloud security architects very quickly. Security engineers have had to become cloud security engineers very quickly, sometimes without proper training. We’ve had to learn the cloud, then engineer the security part of it.
It’s not all bad news though. We have definitely gained significant security advantages and capabilities that either didn’t exist, or were cost prohibitive outside widely available cloud technologies. I think most of us in the industry realize the advantages we are gaining as a result of migrating to cloud services more than justify the migration. We also understand big transitions are painful and we are in the middle of one. Naturally this leaves some security gaps that we have yet to figure out how to fill. So I think overall, the state of cloud security is in a state of rapid transition. And the good news is most of the skills the cyber security workforce already had will translate to cloud, it’s just that those skills will need to now be married to cloud technology.
JG: What are the most common challenges organizations face when it comes to cloud security today?
KE: In no particular order:
- Traditional security experts have been slow to master cloud technologies.
- Organizations’ adoption of cloud technologies is happening at a very fast rate.
- Loss of visibility into some of the security layers we’ve spent so many years building our processes around are no longer accessible.
- Defining and implementing security in multi-tenant environments such as public cloud deployment models, which is what most people think of when they hear the term cloud.
- IT teams in general have been slow adopting and learning cloud technologies.
Lastly, two of the main selling points of cloud technology is rapid elasticity and self-service. Rapid elasticity means we can grow and shrink our network or application footprint almost instantly using cloud-only technologies. Self-service means we can do this growing and shrinking without any interactions with cloud service providers. These capabilities that are advantages also introduce disadvantages. For example, the rapid elasticity means IT, security, developers, and to some extent, even end users, are able to deploy services faster than they are able to be secured. We must also deal with the fact that cloud service providers are still “creating” security solutions on the fly based on our requirements in the industry. Some of these solutions are not exactly “adequate” for what is required to attain levels of security comparable to what existed before cloud.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
KE: Some good lessons learned from earlier data breaches include the following; No matter where your data is, you’re still responsible for it. Moving your data to the cloud does not transfer your responsibility to secure that data to the cloud service provider. The three-way relationship between customers, their data and cloud service provider employees is a weakness that has been exposed in recent data breaches that were cloud related. We’ve also learned that incident response coordination between customers and cloud service providers is an extremely important factor when trying to ensure proper responses to data breaches. Just because there is an agreement of “shared responsibility” when it comes to security in the cloud does not mean the impact and financial loss is always shared. Incident response plans and playbooks must be re-written to account for cloud services.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
- Your incident response policies and procedures should include your cloud environments.
- Make sure you have representatives from your cloud service provider in your incident response strategy who are designated to assist where needed. That includes access and extended visibility into the environment.
- As an organization, learn the cloud technologies if you want to secure them. It’s difficult to secure what you don’t understand.
- Take advantage of services engineered specifically for securing the cloud.
- Include security in your cloud migration strategy from the very beginning.
JG: What’s the future of cloud security?
KE: We are already seeing traditional security solutions providers innovate “cloud” versions of their products and solutions. Traditional security solutions and service providers who have adjusted and evolved into the world of cloud technologies will be around in concert with new solutions and providers created just for the purpose of cloud security. When we first learned how to fly, we tried to do it like birds do. It was many years before we mastered lift, thrust and drag to give us what we know as flight today with modern airplanes. When it comes to “doing” cloud and “doing” cloud security, we are still at the stage where we are trying to do it how we’ve always done traditional computing and security. In other words, we’re still at the stage of trying to fly like birds do. The future will bring much more automation. I think the best is yet to come.