This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
JG: What is the state of cloud security today?
WG: It depends on the viewpoint. In terms of a services portfolio, we are in great shape. In terms of AWS, year after year, we face more and more announcements of commercial or provider-based solutions covering the whole spectrum. We have an ability to leverage open-source solutions as well if the organization has time and resources to tackle that. But speaking about organizations – on the other hand, customers faced with such a broad choice often struggle with setting up efficient, cost-effective, and really comprehensive answers to the organizational challenges and requirements. From the market perspective, it is great – because it opens opportunities for IT consulting or 3rd party companies. Even if in the end, guidance and advice are always welcome, customers are left with a feeling that they pay a lot to the provider and they have received an incomplete product.
JG: What are the most common challenges organizations face when it comes to cloud security today?
WG: A broad set of options is great but may cause decision paralysis or imposes a risk of introducing an incomplete / not entirely effective setup. The building of that knowledge in-house causes trouble and unnecessary costs, which may end in a situation where customers cut corners to deliver or satisfy different requirements.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
WG: That cloud security is heavily contextual – and it is limited to the weakest link in the chain. From our observations – in most cases, it is related to the lack of knowledge or skills inside the company.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
- Embrace automation, immutable infrastructure, and continuous compliance verification.
- Pay attention to the skills and hands-on experience that you are building inside your company.
- For companies aspiring to build cloud native digital products, the culture of DevSecOps should be a default starting point.
JG: What’s the future of cloud security?
WG: I still think that we can do better in terms of technology, including automation, codification, and verification (e.g., dependency audits, auditing infrastructure as code, IAM automation, policy as code, continuous compliance verification).