This article is part of our new State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
JG: What is the state of cloud security today?
PW: The complexity of cloud systems and services has overwhelmed the ability of developers and security professionals to fully reason about the security of their systems. Data propagates everywhere and protections are varied and inconsistent. In short, cloud security today is a patchwork of half measures on a bed of complexity. Breaches are guaranteed.
JG: What are the most common challenges organizations face when it comes to cloud security today?
PW: Controlling access to data across services and storage layers and understanding how the data has been accessed.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
PW: First, cloud misconfigurations were the largest root cause of successful malicious attacks in 2020 and much of that came down to unsecured databases and search services. Second, the SolarWinds attack put a spotlight on the problem of supply chain attacks and the related concerns around the cloud supply chain.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
1. Your software and its dependencies all have vulnerabilities. Assume an attacker can exploit these vulnerabilities. Now ask yourself what layers of protection you have in place if your application is compromised.
2. Ask yourself what visibility you have into data access and whether you’d be able to tell if there was unusual activity or if you’d be able to know what data was accessed in case of a breach. If the answer is no, fix it.
3. Start with the data and the data protection: is it segmented in ways that contain blast radius? Is it protected in non-transparent ways with encryption? It should be.
JG: What’s the future of cloud security?
PW: The complexity of cloud services will continue to grow exponentially. Securing these services and the data they hold will necessarily drive organizations to application-layer encryption strategies that can protect the data consistently regardless of where it is stored or with whom it is shared. We have seen an incredible amount of progress in the academic world of cryptography and some in the blockchain world, but we’ve seen very little of that find its way back into commercial software. That’s what’s next.