This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Tony Rost, CTO of Metal Toad
JG: What is the state of cloud security today?
TR: Cloud security today is where the fashion industry was 20 years ago. If you can remember back that far, the fashion industry was settling into its new global supply chain enabled by the rapid adoption of ERP technology. Once the new normal set in, the industry was shaken by an explosion of human rights violations in overseas sweatshops. The initial response was to beef up their master service agreements and accountability systems. That lasted until the next storm of bad press, from which emerged third-party auditing. Then when that failed, corporate investigators became normalized. On and on this cycle goes, with today’s efforts focused on hyper-transparency, NGO-driven auditing, CEO’s staying humble with their shareholders (or being kicked out), and multiple payroll positions dedicated to ensuring core values deep in the supply chain.
Cloud security is still stuck at the first efforts that the fashion industry dealt with: service agreements and accountability systems. Enterprises have barely scratched the service of digital supply chain auditing; everything else is still years away from substantial investment. Keep in mind that behind all cloud services, deep in the supply chain, are developers who do not work for you — your cloud supplier, your cloud supplier’s vendors, nor that vendor’s vendors. This is the attack vector of choice in the 21st century — the supply chain attack — and I believe we are at the beginning of this chapter.
JG: What are the most common challenges organizations face when it comes to cloud security today?
TR: At the most fundamental level, the challenge is ensuring that your values maintain integrity throughout the supply chain. The digital supply chain vulnerabilities are a grave threat to the brand promise of every company on Earth. Some specific challenges include:
1) Leadership passing the buck of security to vendors If I could influence a change in tactics, it’d be to move beyond the CYA tactics used with vendors. These include: service agreements with checkbox clauses; no first-party security professionals armed to investigate vendors; and no expectation of cooperation between client and vendor on getting their hands dirty in the deep digital supply chain to hunt for vulnerabilities together.
2) Vendors unaware of systemic weaknesses in their products Vendors got into their business to solve problems and often get ahead of themselves on the trail of vulnerabilities left behind their innovations. We’re heard of the phrase “code debt,” but how often do we put money into “security debt”? The real challenge here is that vendors are not incentivized to find their systemic weaknesses. If they can just hit the InfoSec checkboxes, provide enough insurance, and take a second seat to their clients during bad press, what is their marrow-deep incentive to lower profits in favor of more spending on security talent? I wish I could say their core values motivate their behavior, but that is the fundamental challenge I’m highlighting here.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
TR: The most nefarious hack I’ve seen in over a decade was the 2020 SolarWinds supply chain attack. I’m stunned into silence at how this attack unfolded and the magnitude of its scope. This is the attack that made me realize just how unprepared we all are to manage risks in our globalized digital ecosystems.
The challenge of the decade will be to add an investigatory element to vendor management. Vendors will need to desire this in the name of self-preservation, and customers will need to fund the payrolls needed to build up their workflows.
1) Get your hands dirty with your digital supply chain Vendors must proactively share the result of internal audits (particularly from static code analysis in their build pipelines) and emerging tools such as GitHub’s Dependabot, which scans for vulnerabilities in the digital supply chain and proactively elevates resolutions.
2) Cost of payroll headcount for security < cost of public humiliation. I like to counsel customers to take it as a given that a future security attack will show up in their Twitter feeds or in the press and work backward from there. When operating from this assumption, the CEO/CIO pairing often justifies adding specific headcount to investigatory activities of the vendor bench.
JG: What are three to five pieces of advice for organizations looking to improve their cloud security in 2021?
TR: Beyond adding roles to work deeper in the digital supply chain, there are a few other quick wins that can be rolled out within a year:
1) Don’t hide behind MSAs: lawyers are slower than hackers. Expect action plans from your leaders on deeper initiatives with investigation and auditing. The use of MSAs and legal CYA as a way to pass the buck of accountability is a cultural laziness that must be weeded out.
2) Practice absurd transparency, at least internally. Expect to see security-specific dashboards, decks, townhalls, hackathons, workshops, and other activities on a regular basis. These are signs that the internal ecosystem is obsessed with security and far more likely to win the threat game. If you do not see this across divisions and departments, and you don’t hear them being brought up frequently, you are lacking the evidence to know the business is aligned.
3) Put your money where your vulnerabilities are. At a certain zoom level, the people most likely to substantially improve digital supply chain threats are your software engineers. They’ll be more informed and insightful than their immediate bosses and skip managers. At this level, implement paid bonuses for finding security threats, and celebrate those employees who participate in the program.
4) Save us from ourselves, HAL 9000. Even though I work with technology full time, I cannot cognitively comprehend all threats anymore. The complexities are simply too great for humans to manage. Augmenting human decision-making with machine learning is required to fully manage all threats, and emerging tools in the market are specializing in AI-driven solutions.
JG: What’s the future of cloud security?
TR: The cloud ecosystem has had several cycles of expansion (several middle players such as SaaS and PaaS business models) and contraction (cloud platforms launching new domain-specific microservices that displace business models.) I think we’ll have a couple more rounds of this in the 2020s, before moving into the next big transformation in cloud: decentralization. Decentralization of compute, storage, and other services will add in new security paradigms, eliminate entire classes of threads, and elevate cryptography into the security mix. Even then, I expect several jaw dropping ah-ha moments in my career from unimaginably clever hacks that catch us all off guard.