According to IBM, 98 percent of companies will be using multiple hybrid cloud environments by 2021. This trend isn’t surprising. There are many benefits to operating in the cloud such as improved productivity, an increase in elasticity and huge cost-savings, to name a few. However, we keep seeing a range of issues when it comes to cloud security. From open S3 buckets to a lack of identity access management, why are large organizations struggling to implement an efficient cloud security strategy?
To try and answer that, we asked a range of cloud security experts to share their thoughts on some of the key cloud security challenges and provide advice on how organizations can implement a cloud security strategy that will keep them secure.
Here are their answers.
Tanya Janca | CEO and Co-Founder, Security Sidekick
Stephen Wood | Product Manager, Tripwire
So, you’re joining the stampede to the cloud but are struggling not to be trampled. This phase is about survival, not elegance. Use your limited resources strategically. I would recommend three broad courses of action:
1) Triage – What are the key assets moving into the cloud that the company can’t afford to lose? Give them the resources first. Let the low value asset owners know that they are at risk.
2) Focus on ROI – The first five of CIS’s top 20 controls block 85% of all attacks. The other 15 controls give you only 12% more coverage. Spend your time on controls that give you return.
3) Recruit the Masses – According to IBM, two-thirds of records lost were the result of human error, not state-sponsored hacking. You won’t stop issues like misconfigurations via education, but you will slow the leak.
It would also be useful to create a five-minute video that describes the top three cloud configuration errors in business manager language (i.e. small words, short sentences, color pictures). You can then point business managers toward self-help data for the technical detail.
Ben Schmerler | Director of Strategic Operations, DP Solutions
Angus Macrae | Head of Cyber Security
A great start for any organization wondering how to create an efficient cloud security strategy would be to tap into the wealth of free and vendor agonistic information offered by the Cloud Security Alliance (CSA).
The CSA is a not-for-profit, collaborative organization with over 80,000 members & practitioners offering a wide range of industry expertise. Its mission is to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”
One of the best documents to begin with is the CSA’s ‘Security Guidance for Critical Areas of Focus in Cloud Computing.’ This guide provides a great overview of the cloud itself and of essential high-level security considerations.
Then take a look at their Cloud Controls Matrix (CCM), a baseline set of security controls to help enterprises assess the risks associated with a cloud computing provider.
For those who wish to take matters more seriously and seek professional training and certification, the CSA has also partnered with (ISC)² to establish the CCSP (Certified Cloud Security Professional.) Effectively, CISSP applied to the cloud!
Tim Erlin | VP, Product Management and Strategy, Tripwire
Lori MacVittie | Principal Technical Evangelist, Office of the CTO, F5 Networks
There are two key challenges we see organizations struggling with: crafting policy and enforcing policy.
Both are challenging because consistency is a key constraint on both. Because there can be technical challenges to consistently creating and enforcing policies, organizations end up with mismatched security capabilities. They basically implement what they can in each environment even though it may be different from the desired state.
This usually happens because orgs adopt systems and services in the cloud that are different from what they use on-premises. Alternatively, they might be forced to adopt different systems and services across cloud providers.
One way that organizations can overcome this challenge is to try to use the same systems/services across cloud environments. That often means finding a third-party provider that supports all desired cloud environments and standardizing on the system/service for security functions. This enables organizations to turn policy into enforcement consistently, and it has the benefit of using existing expertise with the system/service in multiple areas.
Chris Hudson | Customer Services Consultant, Tripwire
Sarah Clarke | Data Protection & Privacy, BH Consulting
In a corporate context, I want to flag typical pitfalls in due diligence and ongoing governance.
Starting with a control wish list in the form of a questionnaire lifted directly from your internal security policy is a waste of time. Vendors make profits because everyone gets a similar service, and there is a limit to what they can or will change—even if you don’t like it.
Critically, you need to confirm how they will give you visibility of continuous controls relevant to your SaaS, IaaS, PaaS or hybrid supply, e.g. vulnerability management, security event management, information and physical asset management or access management. Will they allow you to regularly audit other controls, or if audits are a non-starter, will they evidence both adequate design and effective operation via a third party audit?
If what they will share isn’t enough to comfort you and they can’t or won’t change, then it’s a risk tolerance decision. Are they the right vendor for you? Someone senior enough to make that call needs to document their decision.
The other thing that’s utterly crucial to iron out is demarcation. Who are the go-to people on your side and their side? Will they stay in-post for long? (Vendors often have a habit of rapidly rotating staff.) How responsive can you rely on them to be? Where does your job finish and theirs start for threat and vulnerability management, incident response, data subject rights requests, access and identity management, downstream supplier or partner due diligence and integration or orchestration for the migration to cloud when things are added, connected or retired?
Some of that can get transferred to SLAs, especially incident response, when poor response times can lead to reputation damage and regulatory sanctions. More generally, you will be set up to fail if you don’t define these and other functional / non-functional requirements in time to do something about it. You should do this when the cloud idea is first floated, not the day before the service goes live.
Alex Dow | CTO, Mirai Security
Tyler Reguly | Manager, Software Development, Tripwire
When working to secure the cloud, the best thing to remember is that the cloud doesn’t exist.
You’re still talking about servers and services. The same people who leave their S3 buckets open would often never consider an open SMB share on the internet. Patching a cloud-based Linux host should have the same priority as one on your local network. At the end of the day, security is security, and whether you’re talking about IT, OT, IoT, IIoT or the cloud, security fundamentals are the key.
I think that the challenge for a lot of people is the word “cloud.” It becomes this new beast, and it creates confusion and brings challenges that don’t need to exist. If you take a step back, all you need to consider is security basics. Once you master those, you are well on your way to success.
Ian Thornton-Trump | Head of Cyber Security, AMTrust International
Andres Riancho | Application and Cloud Security Consultant
Implementing an effective cloud security strategy is a difficult task. Most companies struggle to understand new concepts and thus try to migrate what they have on premises to the cloud. My advice to those companies is: identify the top three risks for your cloud.
Learn how cloud-native companies such as Netflix are solving these issues and adapt their solutions to your cloud. Learn how these companies use automation to leverage the power of cloud computing and reduce any repetitive work previously performed by SOC analysts. Rinse and repeat in order to implement the new security strategy CISOs will need to hire more developers and fewer security experts.
In most cases, developers can acquire security knowledge faster than security experts can learn how to code. Hire security experts to define the strategy and developers to write the infrastructure as code that will support it.
Jeffrey Groman | Founder and Principal, Groman Consulting Group
Joe Goldberg | Sr. Cloud and Infrastructure Practice Manager, CCSI
When organizations move to the cloud, they immediately realize that many of the challenges they faced with on premise systems are still be faced in the cloud. Additionally, there are some new and very different challenges, especially around security and observability. The cloud providers’ security operations interface with customers on a shared responsibility model. It is important for customers to understand where the lines of demarcation are. For example, in an infrastructure as a service model, the provider secures the facility and physical network, server, and storage infrastructure. As a customer, it is still your responsibility to patch your servers and applications and control the flow of network traffic to your environment with firewalls, IDS/IDP, etc. In a Platform as a Service model like AWS Lambda, the provider extends their responsibility to the server operating system, but the customer still needs to control access and secure the applications.
As with securing on-premise services, securing services in the cloud is best achieved in layers. Understanding which layers, you are responsible for is a key first step.
Frank Bennett | Deputy Chairman and Member of Governance Board, Cloud Industry Forum
If you have a process-based model of security and compliance, consider shifting to a policy-based one. Most organizations’ approach to security and compliance is to leverage processes.
There are three major challenges with a process-based approach: Access Control, Security and Policy.
Firstly, it is highly reliant on people, and people make mistakes. Secondly, it is slow, laborious and complex. Thirdly, and most critically, it’s very difficult to demonstrate compliance with a process-based approach. What is needed is a deterministic methodology. Enter policy. With a policy-based approach to security, it switches the model on its head. Instead of describing a process which enforces checks against controls, describe the controls themselves. Replace a technical design review to check that there’s sufficient separation of controls, and include a policy to describe this state of affairs.
Rather than have a committee check that all aspects of an application are deployed in a certain way, have a policy to enforce that. This is the core of a policy-based approach. A strategy based on policy that definitively allows the test of compliance (in or out of compliance) constitutes a strategic win.
Extract from, “Thinking of…Building a Digital Operating Model with the Microsoft Cloud Adoption Framework for Azure? Ask the Smart Questions.”