This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.The following is an interview our CTO, John Grange recently had with Raj Meka, Founder and CEO, Mekas Cloud Services
JG: What is the state of cloud security today?
RM: Cloud adoption is already high, and it’s going to keep on growing. Organizations have been moving to the cloud over the past decade to gain advantages that only the cloud can deliver, a greater flexibility for organizations with growing and fluctuating computing needs, more flexibility for remote work, faster go to market, and a big reduction in capital expenditure. The impact of COVID-19 has made 2020 a year unlike any other. Among the many effects of the global pandemic has been a huge increase in cloud adoption. The speed and flexibility that are so desirable in today’s business world have led organizations to adopt cloud technologies that require not just more security but new security approaches. Cloud is perpetually evolving, forcing teams to continually investigate, learn and apply new architectures and technologies that let them move as quickly as the business demands. In this environment of relentless change and persistent threat, security teams struggle to keep their organization’s cloud environments secure.
JG: What are the most common challenges organizations face when it comes to cloud security today?
RM: As organizations start taking advantage of Cloud native solutions, rapid adoption of microservices is inevitable, threat models around these microservices are not entirely well understood. The newer cloud native applications don’t necessarily have longer standing solidified security posture, “so with the adoption of newer cloud native applications, there is going to be some exposure, lack of experience of newness. We are going to see new breaches always.”
As opposed to just securing the monolithic applications, organizations need to think about how all the cloud based services are interacting with each other. North-South used to be the network entry and exit points for the traditional data centers. Now organizations need to think about east-west in terms of network communication between all these cloud based applications within the network.
As you grow into the public cloud, security engineers need to learn new systems and processes. The inconsistency between what engineers are used to and what’s running in the cloud creates opportunity for misconfigurations, and misconfigurations lead to breaches.
Here are some common challenges organizations facing today
- Lack of visibility to complete cloud inventory
- Lack of visibility to security vulnerabilities
- Lack of Employee training on Cloud related security
- Employee training on safe practices
- Evaluating the current state of security and threats
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
RM: Between 2018 and 2019 time frame we saw a massive shift in data breaches coming through web applications and APIs. Data Breaches that resulted from cloud misconfiguration cost businesses nearly $3.18 trillions in 2019.
2020 was another we have seen many breaches, a few to talk about are
- Marriott suffered a credential-based breach
- Antheus Technology Biometric data breach
- LifeLabs breach exposed half of Canada
- Expedia and Hotels.com beaches
- FireEye, worlds largest Security fir
Breaches will be a fact of life as long as humans make mistakes, whether it’s cloud based application or an on-premise database. But these breaches give us a sense of most common misconfigurations that lead to breaches.
This gives us an opportunity to learn what to look for and ensure that your company is not on the list.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
- Shift to Zero trust model
- Standardize Security practices across your Cloud, Hybrid and Multi-cloud infrastructure
- Use modern Security platforms built for the cloud
- Encrypt your data in transit and at rest
- Use Defence-in-depth to protect APIs, applications, and data where they reside
- Provide adequate training across the organization
- Continues monitoring and understand your infrastructure
JG: What’s the future of cloud security?
RM: Cloud is evolving, teams are continually learning new technologies and architectures. Teams continue to make mistakes and misconfigurations. None of the cloud security threats that we have seen are new, but they are more important than ever as more and more people are working from home now. We will continue to see these threats and breaches. We need to continue to learn from these breaches and apply.