This article is part of our new State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
JG: What is the state of cloud security today?
RL: There are an overwhelming number of tools available for cloud security and analysis that cloud security providers can use or deploy, and yet breaches continue to happen. This is in large part because there is a steep technical requirement for any service provider to keep ahead of security challenges.
The most simple security advice continues to ring true for both providers and consumers.
- Keep everything patched and up to date.
- Backup your data; and test the backups.
- Implement the principle of least privilege.
- Use multifactor authentication whenever and wherever you can.
JG: What are the most common challenges organizations face when it comes to cloud security today?
RL: There are distinctly different versions of “cloud”; each with different risks and benefits. For example, Software as a service (SaaS) providers are commonly web applications or business tools. Infrastructure as a Service (IaaS) providers provide backend services, such as AWS, Azure, GCP etc.
It is a challenge to know what your risk associated with each provider is or can be.
For SaaS providers, it is critically important to understand what data of yours the provider has, how they are protecting that data, and what could happen in a worst case scenario.
For IaaS, a deeper understanding is needed to master all the controls and options available to you. These tools are very powerful but with a few clicks it is easily possible to misconfiger your infrastructure or accidentally expose data.
For all cloud providers, it is important to understand the full extent of what is your responsibility against what is the providers responsibility. Many breaches happen not because of coding flaws, but because of simple misconfigurations or leaked/ reused usernames and passwords.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
RL: Many of the hacks or breaches in 2020 were related to vendor supply chain hacks. That is, a company is breached because of a vendor or cloud provider they use. There is an explicit level of trust that you must have with your vendors and cloud service providers and the web expands very wide when you start thinking about your vendor’s vendors; and then their vendors. A quick takeaway is that any service provider can be breached. Therefore, it is important to know what your exposure to each provider is and what recourse you have, if any. This includes both technically and legally. It is also important to understand how dependent you are on each cloud provider.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
RL: Every vendor an organization uses should have a security review. The depth of the review should be congruent with the type of data this vendor will have access to. Followup reviews should also take place on a scheduled basis.
It is equally important to know the lifecycle of the data in the cloud. How does data make its way into your SaaS or IaaS tools? Where and how is it stored? Is it encrypted? Where else does it go? Don’t forget secondary cloud services like customer support and emails. Keep a record of what data is within which cloud provider.
For each of these cloud providers, implement the principle of least privilege if you can; only give the least level of access to only those who really need it. Be sure to audit these privileges of all of these systems at least quarterly.
JG: What’s the future of cloud security?
RL: In the future, I hope for more transparency between cloud providers and us as customers; particularly for SaaS providers. This will help the customer have a better idea of the risk they are taking on when using the provider. Any cloud service can say all the right things and say they have a lot of processes in place, but that doesn’t necessarily make it true, and it certainly doesn’t mean they can’t be breached.