Thoughts on Cloud Security
I recently had the opportunity to share my thoughts for an online news outlet, and thought it be great to share them here as well. The outlet is working on a new series focused on the state of and future of cloud security and are looking for individuals in the field who wanted to share their insights on the following:
What is the state of cloud security today?
Over the last 5–6 years, cloud service providers (CSPs) have made great strides in developing new features and services that allow their customers improve visibility and control of their cloud environments. Security solutions vendors also stepped up their game and integrated these or similar features into their platforms, providing their customers with more versatile solutions. However, it seems we often read about large companies that operate mainly in the cloud, being impacted by data breaches; fueling the fears of many that believe the “cloud” is insecure. Personally, I disagree. If you look at the post mortem details of these high profile breaches, there is one common theme — human error and/or misconfiguration. Perhaps, more effort should be put into leveraging the aforementioned CSP / security solutions improvements to visibility and implement better guardrails.
What are the most common challenges organizations face when it comes to cloud security today?
Traditional security concepts still, but the tools typically don’t
The cloud is really just someone else’s data center. Therefore, many core security concepts such as DiD (defense in depth) and threat modeling are still applicable. However, traditional tools used to control network traffic and attain better network visibility can’t be used in the cloud. Additionally, security tools that require agents to be deployed and configured tend to be more difficult to manage; as the lifecycle of cloud resources is short lived in comparison to the old data center days.
Skilled staff and operational processes
While DevOps has been around for a while now, the security industry is still working towards embracing many of the technologies used by DevOps teams. I recall attending an AWS re:Invent session, back in 2015 that talked about this new concept of DevSecOps aimed at addressing the problem. Months later it appeared it would become a bit of a movement, but sadly it only caught on across companies that embraced the cloud early on. Today, it is still difficult to find security professionals that have moved beyond security by spreadsheets in favor of DevOps techniques.
What lessons can be learned from the biggest cloud-related breaches of 2020?
Misconfiguration
An example of a misconfiguration is when a cloud hosted data store containing sensitive data (say user credentials and/or encryption keys), is exposed to the public. Meaning, anyone with access to the internet could potentially access the data without any form of authentication.
Customer’s misconfiguration of cloud services has led to the abuse and ill intended usage of services; which we tend to read about in security breaches. It might sound crazy or far-fetched, but misconfigurations like this have been a common theme in the past, especially for AWS’ S3 service. It seems customers tend to forget that the use of the “cloud” comes with a shared responsibility. Cloud providers are responsible for keeping the underlying infrastructure of services secured; but the configuration of these services is the responsibility of the customer. This often seems to be missed in the stories we read about and potential customers continue to fear that the cloud is not secure.
What are 3–5 pieces of advice for organizations looking to improve their cloud security in 2021?
Invest in your staff
With good security professionals in high demand, companies are better off investing in their security professionals that show an interest in “cloud”; in order to take their security organization to the next level. Solid training and support, will enable them to better collaborate with development teams and significantly raise the “security” bar of their cloud environment. There are plenty of free resources available today, such as cloud security standards and open source solutions, that can be leveraged. The Center for Internet Security (CIS) controls and/or AWS’ Well-Architected Framework are great resources to help get started.
Build guardrails
As a reformed cloud security professional, I can say that embracing the cloud takes a shift in mindset. In general, security teams need to stop saying “no” and getting in the way of innovation. Instead, they need to be able to provide development teams the access they need — when they need it, and put guardrails in place to ensure security. To be successful, it is key to do this in a way that it does not have a significant impact in the development experience. An example would be implementing a cloud governance program that defines and implements best practices and controls, and take action on violations without developer’s intervention.
Gain visibility
Unlike a typical data center, the big 3 CSPs offer an array of services and features that can provide a level of visibility that as security professionals, we always dreamed of having. The ease of deployment, scalability and management of services to do things, such as centralize logging, monitoring and alerts is exciting. More importantly, there is an abundance of open sources tools and solutions, and it is all at the fingertips of anyone that wants to dig a little deeper.
What’s the future of cloud security?
The future is bright. As security professionals embrace and understand the “cloud”, the security of the “cloud” would be perceived as improving. To be clear, the problem is not the security of the “cloud”, but tools and policies used by cloud customers to secure and control their cloud environments. To this day, many companies have misconceptions and misunderstandings about what security the cloud can offer them. This seems further distorted by the imaginary concerns around the security and control implications of different cloud models (public, private, hybrid, multi-cloud).
In reality, “security” across the three biggest CSPs (AWS, Azure, GCP) is better than most enterprise data centers. This is not just my opinion, others agree as well. Global researcher company Gartner stated that, “public infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centres.”
So, let’s stop using “security” as a way to stifle cloud adoption. Instead, let’s get security teams learning how to leverage programmatic infrastructure techniques to apply automation; creating guardrails that can eliminate human error/misconfigurations. Specially important if you agree with Gartner’s prediction “Gartner predicts that through 2022 at least 95% of security failures in the cloud will be caused by the customers.”
“Opinions expressed are solely my own and do not express the views or opinions of my employer.”
References: https://hostingtribunal.com/blog/cloud-computing-statistics/ — Q18