This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Rob Black, CISSP, Founder and Managing Principal of Fractional CISO.
JG: What is the state of cloud security today?
RB: Cloud adoption is on a roll – it’s high, growing, and nobody expects it to slow down. The vast majority of young companies have only ever worked on cloud infrastructure, and more and more established corporations are switching away from on-premises hardware to cloud services.
For many companies cloud security is cybersecurity, and vice-versa. There are two sides of cloud security. On one hand, the cloud service vendors must be expected to have robust cybersecurity practices. If a vulnerability is found and exploited in Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, the impact could be huge. They also need to provide reasonable built-in security tools for their clients to utilize. For the most part, they do, but not all vendors are created equal when it comes to making those tools easy to use!
On the other hand, clients need to take full advantage of those tools to minimize their cloud security risks. It can be challenging, because the default settings are rarely the most secure settings. It takes a considerable effort to optimize the security configuration of each platform.
There is also a barrage of independent cloud security services – it can be overwhelming to figure out what’s right and what’s wrong for your business.
JG: What are the most common challenges organizations face when it comes to cloud security today?
RB: Companies are not utilizing their cloud vendors’ most important built-in security controls.
We see all AWS customers using Virtual Private Clouds (VPCs) to segment their environment. VPCs allow customers to logically isolate their infrastructure. We do not, however, see many adopting the Security Hub tools. Many do not use AWS Inspector or Guard Duty to monitor their environment. This can lead to significant issues with their implementation and put their infrastructure and customer data at risk.
Similarly, Azure customers have the Security Center available to them. But many do not seem to actually look at the results or try to remediate them.
If companies would apply a modicum of effort toward security monitoring they could significantly decrease their organizational risk.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
RB: There were a lot of high-profile breaches in 2020. I am picking a non-intuitive example that can show how corporate security can negatively impact cloud security. Garmin suffered a nasty ransomware breach in the summer that’s worth remembering. Even though it started as corporate ransomware. Their Garmin Connect cloud services were put offline for days before they allegedly decided to pay the ransom, reported to be about $10 million.
The Garmin breach really illustrates how important it is to separate corporate resources from cloud infrastructure. Additionally, you have to be prepared for an attack. While it isn’t fun to talk about how your organization would handle a cyberattack, it is important to do so. Creating a plan and testing it will help find flaws in your security program, quicken the resolution of a real attack, and reduce its impact. Ransomware also carries the unique question of whether or not your organization should pay the ransom. There isn’t a right or wrong answer here – it’s a risk management decision – but it’s best to consider the implications of the decision before you’re actually locked out of your systems.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
RB:
1. Make sure your cyber team is fully aware and makes full use of every cloud vendors’ built-in cybersecurity tools – all of the major cloud providers have a suite of security tools (Security Hub, Security Center). We see many new clients that have not adopted them. Yesterday was the time to turn them on.
2. Run periodic internal audits to ensure your company is using the most-up-to-date security practices. Cloud technology and security is rapidly advancing, don’t get caught out!
3. Learn from newly publicized breaches. Could it have happened to your organization? Have you considered that line of attack? Find and patch relevant vulnerabilities. Or even better, design your implementation so you don’t need to patch. (Spin up new instances when a new version comes out or use serverless architecture.)
4. If you are an executive at your company, be a champion of cybersecurity. Executive involvement has a huge impact on the efficacy of cybersecurity efforts and helps create a security culture in the organization.
5. Please check your AWS S3 buckets permissions. Most should not be public!
JG: What’s the future of cloud security?
RB: All of the high profile breaches create this feeling that the bad guys are always winning, that it’s a matter of when, not if, a particular platform will be breached.
I’m generally optimistic for the improvement of enterprise security – I wouldn’t have started a cybersecurity company if I wasn’t! Awareness is growing about the huge risks cyber attacks pose to businesses and everyone is taking it more seriously. Clients are becoming more selective about vendor security, pushing the market toward better security practices.
The mass adoption of cloud technology means that cloud security is cybersecurity. A lot of attention is being paid to this area, more tools than ever are available and being developed. While it’s impossible to completely prevent a cyber attack, businesses will have more tools than ever to reduce their risk.