This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.The following is an interview our CTO, John Grange recently had with Jamie Orlando, President of Nutfield Security.
JG: What is the state of cloud security today?
JO: We are quickly approaching a state where every cloud security scenario has both commercial and open-source products available to mitigate risk. Modern cloud security professionals need to be skilled resource managers that understand when to work with a vendor and when to roll their own controls.
JG: What are the most common challenges organizations face when it comes to cloud security today?
JO: For the most part, the biggest challenges cloud security professionals are facing at the moment are continuations of previous trends, like running cost-effective operations and reducing developer friction. However, recent high-profile cloud provider service disruptions and the wide adoption of Kubernetes are leading many cloud customers to also begin developing cloud provider agnostic practices for their highly available workloads.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
JO: The biggest breach story of 2020 was rightfully the Solar Winds attack. While the same poisoned update technique was used against MeDoc in the Ukraine in 2017, the SolarWinds attack heavily reinforced the importance of supply chain security to an American technology audience. The biggest thing we can learn is that you are only as secure as your weakest vendor.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
JO:
- Learn to love the reverse uptime statistic. Automate rebuilding your servers frequently with security updates and focus the time otherwise spent patching on writing strong workload health checks.
- If lucky enough to work with a product that embraces microservices, spend the time to look into service mesh technologies.
- If you do not have a controlled space for secure analytics development, you have an uncontrolled space that you don’t know about.
JG: What’s the future of cloud security?
JO: The mass adoption of remote work, driven by the COVID-19 pandemic, seems to have finally killed the notion of a secure network boundary. Network administrators who could previously assume a large majority of their traffic would always originate from within a controlled office network and whitelist accordingly, are now forced to decide between significantly increasing the capacity of their VPN infrastructure, or prioritizing endpoints for split-tunneling. Given that traditional firewall and VPN providers are seizing the moment to charge premium rates for their products, it seems likely that zero trust architectures that focus on authenticating, authorizing, and encrypting every network connection may soon be more cost effective to implement than more traditional architectures.