This article is part of our State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Laura Kankaala, Security Consultant at F-Secure.
JG: What is the state of cloud security today?
LK: Many companies are still in the early stages of their cloud journey. This means there are a lot of struggles of getting things right, especially when it comes to access rights and permissions for users and services both. It’s also too early to say that many companies out there would be 100% cloud-native in a sense that there would be no on-premises servers or hardware. In many cases, cloud is hybrid and is a mix of services from different providers, mixed in with on-premises infrastructure.
JG: What are the most common challenges organizations face when it comes to cloud security today?
LK: While cloud certainly solves some legacy challenges when it comes to, for example patching and server management, the focus of the security challenges has shifted. What I see as some of the most major challenges stem from the lack of resources or shifting the cultural mindset from the old ways of running projects to more cloud-oriented and agile. It’s also a great challenge of how to manage third party dependencies, code or vendors and how to defend against attacks that may originate from completely external sources.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
LK: In my experience, some of the breaches that take place in cloud environments are collateral. This means that access to cloud was obtained after something else was breached first – the on-premises infrastructure or an external dependency. When we allow external access for services to our cloud infrastructure, the interfaces where the access takes place often end up being quite privileged with broad access to data.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
LK: Identity and access management is the cornerstone of cloud security – therefore focus on building robust access rights and permission models. Make sure that access across different accounts, external services or to on-premises infrastructure is well-defined. Take advantage of security features offered by cloud providers. Make it difficult for developers to accidentally make mistakes by restricting or monitoring for dangerous configurations.
JG: What’s the future of cloud security?
LK: There is no denying that cloud is the go-to method of hosting infrastructure, and there are many security-related benefits to it as well. New security related services are rolled out very often and visibility into actions that take place in the cloud are really good for many of the providers out there. Also in case of a lower-level issue, the patches and fixes can be rolled out fast and across all affected parties.
But most crucially, what I feel is the biggest benefit of cloud is that there is no need to reinvent the wheel when it comes to running servers and services. When there is more time to focus on building good quality code or use services that someone develops for you, it means we don’t need to struggle with maintaining IT server infrastructure or face the consequences when those legacy servers fail under our software.