This article is part of our new State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
JG: What is the state of cloud security today?
RG: Over the last 5-6 years, cloud security providers (CSPs) have made great strides in developing new features and services that allow their customers to have better visibility and control of their cloud environments. Additionally, many vendors integrate these or similar features into their platforms, to provide their customers more versatile solutions.
Over the years, we have all read about various cloud security data breaches tied to large companies. This has certainly fueled the fears of many that the cloud is insecure. Personally, I disagree with that notion. If you look into the technical details of all of these high profile breaches, there seems to always be one common theme – human error and/or misconfiguration. The good news is, that the aforementioned features and services attempt to proactively help address said common theme, by providing visibility and guardrails.
JG: What are the most common challenges organizations face when it comes to cloud security today?
RG: Traditional security concepts still apply to the cloud, but the tools don’t
The cloud is really just someone else’s data center. This means that many core security concepts such as DiD (defense in depth) and threat modeling. Whoever, this does not apply to tools. One can’t just apply traditional security tools to protect resources in the cloud because cloud environments are dynamic in nature and therefore, the lifecycle of resources is short lived in comparison to the old datacenter days. Attempting to apply traditional security tool controls, like firewall rules that rely on IP addresses and host ports is a losers bet.
Skilled staff and operational processes
While DevOps has been around for a while now, the security industry is still working towards embracing many of the technologies used by DevOps teams. I recall when DevSecOps became a movement and was looking to change that, but sadly it only caught on across companies that embraced the cloud early on. Today, it is still difficult to find security professionals that have moved beyond security by spreadsheets and are familiar with DevOps techniques.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
Customer’s misconfiguration of cloud services has led to the abuse and ill intended usage of services; which we tend to read about in security incidents. An example of a misconfiguration is when, for example, a cloud hosted data store containing sensitive data (say user credentials and/or encryption keys), is exposed to the public. Meaning, anyone with access to the internet can potentially access the data without any form of authentication. It might sound crazy or far-fetched, but misconfigurations like this have been a common theme in the past, especially for AWS’ S3 service. The takeaway here is that the configuration of these CSP offered services is the responsibility of the customer. In my opinion, this is often missed in the stories we read about.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
Invest in your staff
Good security professionals are in high demand. Companies are better off investing in those security professionals that have an interest in Cloud; in order to get them to the next level (cloud savvy). With solid training and support, these individuals will be able to collaborate with development teams and significantly raise the security bar of your company’s cloud environment. There is plenty of training and free resources available today, such as cloud security standards and open source solutions that can be leveraged to level up your company’s cloud security. If you are looking for tips on where to start, take a look at the Center for Internet Security (CIS) controls or AWS’ Well-Architected Framework.
As a reformed cloud security professional, I can say that embracing the cloud takes a shift in mindset. Security teams need to ensure that they are not getting in the way or are impacting innovation.They need to be able to provide development teams the access to what they need when they need it, while putting rules in place to ensure security. The key to success is to do it in a way that it does not have a significant impact in the development experience. An example would be implementing a cloud governance program that defines and implements best practices and controls, and takes action on control violations w/o developer intervention.
Unlike a typical datacenter, the big 3 CSPs offer an array of services and features that can provide a level of visibility that as security professionals, we always dreamed of having when securing data centers. The ease of deployment, scalability and management of services to centralize logging, monitoring and alerts is exciting. More importantly, with an array of open sources tools and solutions, it is all at the fingertips of anyone that wants to dig a little deeper.
JG: What’s the future of cloud security?
RG: The future is bright. As security professionals get better, the security of the cloud would be perceived as improving. However, in my opinion, the problem is not the security of the “cloud”, but tools and policies used by cloud customers to secure and control their cloud environments. To this day, many companies have misconceptions and misunderstandings about what security the cloud can offer. This is further compounded by the imaginary concerns about the security and control implications of different cloud models (public, private, hybrid, multi-cloud).The reality is that “security” across the three biggest CSPs (AWS, Azure, GCP)is better than most enterprise data centers. This is validated by other sources, such as Gartner, which stated that, “public infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centres.” Thus, let’s stop using “security” as a way to stifle cloud adoption. Instead, let’s get security teams working towards learning how to leverage programmatic infrastructure techniques to apply automation; in order to eliminate any potential human error – commonly the source of a cloud security breach. Particularly important if you agree with Gartner’s position: “Gartner predicts that through 2022 at least 95% of security failures in the cloud will be caused by the customers.”