This article is part of our State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange, recently had with Todd Gifford, CTO of Optimising IT.
JG: What is the state of cloud security today?
TG: Cloud security has taken massive leaps forward in recent years to the point that I think developers now understand what it takes to build well-coded websites. Do we get it right all the time? No – we don’t. From basic and easily avoidable coding mistakes to fundamental web application architecture issues – there is a lot wrong. Improving is probably the most accurate description for cloud security today: Much better than it was and a process that will never be finished – but still many iterations to go through before reaching an acceptable level.
JG: What are the most common challenges organizations face when it comes to cloud security today?
TG: Getting the fundamentals right has to be the first challenge we need to resolve. The top threats on the OWASP top 10 have been the same for many years. Why? Often security considerations are still an afterthought rather than a peer requirement to functionality.
Compliance and code spread are the following biggest challenges. In an environment with multiple daily changes happening, how do you ensure compliance in a changing environment? A systematic way of managing and tracking change and appropriate business and change processes are a great help in managing code spread.
Managing and maintaining compliance with requirements like PCI DSS can almost be too much on top of managing change and functional requirements. The only practical way to do this moving forward is to utilize an appropriate toolset.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
TG: The basics need to be absolutely one hundred percent sorted. Managing code poorly, combined with lax password and user management controls, led to the breach of the Solarwinds Orion platform, which in turn resulted in thousands of organizations worldwide being compromised by suspected Russian attackers.
Manage your code and check for changes – even after supposedly legitimate updates are rolled out.
Ensuring that access to your codebase is appropriately managed and reviewed, as well as checking third party code that your site loads for changes before running them, are vital ways to mitigate against potential supply chain attacks.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
- Train your developers to spot and resolved code errors during development
- Review code for flaws before release – peer review will work well here
- Use appropriate tools to help with compliance – in large and complex environments doing manual compliance is not practical or sustainable
- Watch out for code and environment drift. Again in large, complex environments, this is not a manual task – using a system to track change is essential.
- Get external help and validation where needed. There is always room for improvement, and often an outside viewpoint will bring a fresh perspective, ideas and knowledge from the broader industry.
JG: What’s the future of cloud security?
TG: Augmenting the work of dev-sec-ops, security analysts and cyber professionals with automated tools. As the complexity of cloud platforms and the sheer volume of code expands, keeping on top of everything manually will become an impossible task, even in simple environments. Automated tools to verify code, understand code changes, and manage compliance requirements will become essential for developers.
As with everything cloud – the only constant is change. As the pace of change accelerates and the battle for highly experienced staff continues, organizations will need to look at alternative solutions to fill capability gaps and do more with less.