This article is part of our new State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Mike Raggo, Cloud Security Expert, CloudKnox.
JG: What is the state of cloud security today?
MR: In general, we’re still seeing increased breaches targeting cloud infrastructure. This is evidenced by the Cloud Security Alliance’s (CSA) Egregious Eleven report.
JG: What are the most common challenges organizations face when it comes to cloud security today?
MR: Lack of visibility is a big one. Many organizations are blind to the intrinsic risks embedded in their cloud infrastructures. It’s not for a lack of effort, but it’s a result of the speed at which people are building infrastructure in the cloud. Applying old school approaches of role-based access control just doesn’t scale in the cloud. We’ve grown beyond that. Monitoring activity in the cloud and combining that with automation, machine learning, and data science and analytics are key to gaining accurate, calculated, and actionable visibility in the cloud.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
MR: Much of what was highlighted by the Cloud Security Alliance’s report in 2019 continued into 2020 and 2021 as well. Much of it has to do with over-permissioned access. Should a developer have the ability to configure resources such as AWS S3 buckets or Azure blobs/containers with public access, no encryption, and more; or should these permissions be limited to administrators? We all know the answer to this, but it’s a challenge in the cloud to manage 9000+ permissions for each identity, and understand what each permission means and its implications. It’s clear “just-in-case” permissions don’t work, we can’t continue to assign broad permissions to developers just-in-case they might need them. Technology and automation exists today to provide permissions on-demand and use activity monitoring to set least privileges and achieve Zero Trust compliance. Until organizations get to this point, it’s likely similar breaches will occur.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
MR: We already recommend organizations leverage automation to implement least privilege policies and compliment that with permissions on-demand to properly right-size access and limit the blast radius in the event an account is breached. Furthermore, machine learning can be used to quickly identify suspicious activity outside of the norm and quickly respond to threats to avoid a compromise. This balances both a proactive and reactive approach to cloud security.
JG: What’s the future of cloud security?
MR: Cloud service providers are adding new services, features, and permissions daily. Keeping up with the speed of the cloud is nothing we’ve ever experienced before. However, with this change comes automation, machine learning, and additional benefits, which organizations can use to keep pace with the rapid growth of the cloud, and position themselves proactively against threats.