This article is part of our State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
JG: What is the state of cloud security today?
SM: Cloud security is complicated by the myriad of APIs, cloud services and general vast array of internet-connected devices that all feed into the cloud. This makes security nebulous and difficult to be systematic about. The result is that easy to make misconfiguration mistakes, or misapplied access control privileges are exploited.
JG: What are the most common challenges organizations face when it comes to cloud security today?
SM: There are several areas that are particularly challenging. The whole remote working challenge has opened up new areas too:
- Data visibility concerns, or who is responsible for what data:The shared responsibility model is a useful framework, but data and the cloud has become an entangled mess that is difficult to govern. Overlay privacy legislation and the whole thing becomes a nightmare. Being able to see data assets and (importantly) see where those assets go to and who has access to them is very challenging.
- Data leaks from cloud repositories: This is often linked to misconfiguration of cloud components that leads to accidental leaks or attacks exploiting the vulnerability. The challenge is ensuring that anyone involved in deploying cloud-based services and systems understands the, often, nuanced intricacies of configuration and hardening of cloud components.
- Access control challenges: This is where remote working and the use of personal devices to access corporate apps has really added complexities into cloud computing. Current IAM systems are not fit for purpose, they are often static and difficult to add in remote workers and non-employees. One good thing that has come out of the Covid-19 pandemic is that it is shaping and driving the adoption of flexible IAM systems that can easily on-board and verify users. The concept of ‘zero trust identity’ is taking off too, where ID attributes are replacing static identity as a way to transact and control access.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
SM: Know your data and know where it is. Visibility is still a major issue, and you can’t tie down what you don’t know you have. This ties into the remote working challenges: companies have learned a lot about how to make home working more secure, and these lessons will continue to drive adoption of technologies that can provide zero trust security and identity.
This leads to the misconfiguration of cloud components. S3 buckets, for example, being publicly accessible. Misconfiguration attacks and accidental leaks have been behind several high-profile data breaches and Verizon’s DBIR 2020 stated misconfiguration was the fastest growing risk to web apps.
The lesson to take away from this is to ensure your staff know security. Just because someone has technical training in cloud engineering or implementation, doesn’t mean that they understand how to secure a deployment.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
- Train your IT staff on security and hardening for configuration of cloud components.
- Research zero trust technologies, especially in the access management area. As we move into a work anywhere, anytime era, this is especially important.
- Look to the principles of privacy by design to understand how to best manage data. For example, by minimizing data collection you also, by default, minimize the level of data leaks.
- Data protection in the public cloud is critical. Use devices that provide protection at rest and during transit. Harden your authentication and access control. Use least privilege for data access. Make sure this principle is applied as a continuum as employees move roles or leave.
JG: What’s the future of cloud security?
SM: More focus on exploiting simple mistakes in configuration. Data-enabled critical infrastructures will become increasingly targeted by ransomware as this makes cybercriminals lots of money. This is driven by cloud-enabled RaaS. Vendors, however, will strike back with smarter technologies that adapt to the changing landscape and that automatically patch misconfigurations. The identifiers that allow us to transact in cloud environments will also become more flexible and smart, allowing for zero trust, identity-enabled transactions that ‘always verify, never store’ to remove extraneous siloed stores of personal data.