This article is part of our new State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Charles Denyer, Cybersecurity and National Security Expert.
JG: What is the state of cloud security today?
CD: It’s dynamic, changing every day, and that’s because the threats keep changing also, meaning companies have to be agile, proactive, and quick to respond. Minutes can make all the difference between stopping a breach and a breach gone bad. With more and more organizations adopting and migrating to the cloud, the opportunities for nefarious hackers and others are now bigger – and more profitable – than ever. The good news is that the three main cloud providers – Amazon AWS, Microsoft Azure, and Google GCP – have built a robust set of security tools and solutions native to each of their platforms, allowing customers to pick and choose from a wide-range of industry leading products for securing their platforms.
JG: What are the most common challenges organizations face when it comes to cloud security today?
CD: There are many, but if I had to pick the top challenges, it would be the following: (1). Ensuring that a comprehensive third-party vendor management program is in place for keeping a close eye on all types of external sources that interact with an organization’s cloud infrastructure. From off-shore developers to consultants, managed service providers, and more, you’ve got a lot of cooks in the kitchen, and the old saying goes, and you need to be monitoring them very closely. Companies that fail to make the grade with adequate third-party vendor monitoring are prime candidates for a breach.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
CD: Unfortunately, you have to take an almost zero trust approach, which means extensively vetting all products and solutions deployed into your environment, along with limiting access control to the fullest extent possible. The massive SolarWinds breach (In early 2020, hackers secretly broke into SolarWind’s systems and added malicious code into the company’s software system, for which SolarWinds unwittingly sent out software updates to its customers that included the hacked code) 2020 clearly showed the world that even the biggest and best of companies can be breached. Bottom line, don’t automatically trust any tools or solutions that’s inside of your network.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
CD: First and foremost, have in place a comprehensive third-party vendor management program, one that establishes clear protocols for vetting new vendors, and for reviewing their practices on an annual basis. Second, have in place a well-developed, actionable incident response program, one that’s been tested annually and can actually work! Third, conduct security awareness training regularly for all employees. Remember, knowledge is power, and the more employees know about cybersecurity issues, threats, concerns, and best practices, the better prepared they are in protecting an organization.
JG: What’s the future of cloud security?
CD: Because so many companies are adopting and migrating to the cloud, security will be front and center forever in terms of cloud computing. You cannot run a safe and secure platform in the cloud without proper security protocols in place. Because of this, companies will be spending heavily on both existing and next-generation cloud security tools and solutions. While the bad guys are really good at what they do in terms of stealing data, luckily, the good guys are getting better at developing cutting-edge technologies for protecting cloud platforms.