This article is part of our new State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Joseph Kirkpatrick, President of KirkpatrickPrice.
JG: What is the state of cloud security today?
JK: Cloud providers are building innovative security capabilities at a pace never seen before. Previously, many companies couldn’t afford or spend the time to implement advanced countermeasures because they were focused on the basics like system design, operating systems, installation, support, etc. Now that any size company can use the infrastructure already built for them, they can spend more time thinking about security. Cloud security controls put the power of configuration checks, monitoring, and predictive indicators at your fingertips. It no longer requires a capital outlay, but instead, a willing mind to learn from all the feature-rich capabilities to secure applications and data.
JG: What are the most common challenges organizations face when it comes to cloud security today?
JK: The sheer volume of capabilities is daunting. Solution architects get lost in the settings and never-ending press releases about new and changing features. That old familiar window is no longer there, and an important configuration can be missed simply because it has a new label or is behind a tab that wasn’t noticed. We recently had a client who was sure they had installed the Center for Internet Security pre-configured image as their operating system. They needed this to comply with their contractual obligations for certain security controls. Our audit revealed that they had not. After walking through it, the engineer explained that he just didn’t understand the description in the cloud dashboard. It was new to him and certainly could have been clearer.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
JK: The misconfigured Pfizer cloud storage bucket had all the top lessons about cloud security. Bucket policies and permissions get complicated very quickly. It’s imperative that you are allowing access to only the necessary entities. We hear about misconfigured buckets so frequently because companies don’t have clear policies to guide their employees’ actions and there’s no validation to ensure the settings have been properly applied. Given Pfizer’s prominence in the vaccine rollout, speed was prioritized over security. There was pressure to share the data and “get it done” but it resulted in thousands of patients’ data leaking publicly. Breaches like this also highlight how quickly the events mushroom into regulatory incidents when laws are broken. Once the patients’ recordings and PII are released in an unauthorized way, organizations have a bigger issue on their hands due to the implications of data breach regulations.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
JK: It’s important to remember that the underlying security principles are still the same. Know your environment. You must be able to articulate what your assets are, how the data flows, who has access and why. Document your standards. Too many companies do documentation last but you have to be able to demonstrate why you’re doing what you’re doing. Communicate to your employees what the policies are to comply with laws, meet security standards, and configure access. Use change management documentation to trace back what actions were taken to compare against company policy. Finally, embrace responsibility for cloud security. It is NOT the cloud provider. Don’t pretend that they will do it for you to only be surprised to discover the truth.
JG: What’s the future of cloud security?
JK: The good news is that we WILL catch up. Qualified people are attracted to the field. There are more tools than before, and training is readily available. The amount of free training, technical bulletins, and videos are impressive to help us learn the latest in an ever-changing security field. Invest in your existing employees with the aptitude to lead your security initiatives. Supplement your staff with a cloud security partner who shares your vision and values. The technology will only continue to advance, so don’t wait to implement security best practices to the hundreds of cloud solutions you’re already using.