At CSA, we speak with technology leaders in a wide array of industries and segments, and have had the pleasure of bringing on many as customers.
Through this experience, we’ve developed a good understanding of how the best organisations tackle the challenge of cloud security.
These discussions have been interesting because the organisational dynamics of cloud companies are different, especially in the age of COVID-19. Until recently, the status quo was that IT and IT/Info Security were more concerned with on-prem problems like endpoints and networks.
Some organisations may have begun major cloud transformation projects but, with a few exceptions, these initiatives were shadow IT regardless of how proactive their security leaders were. This approach has obviously resulted in major security gaps, especially for organisations that host sensitive data in the cloud and/or are subject to compliance requirements like GDPR, PCI, HIPAA and SoC2.
Everything changed in 2020. This was the year that most organisations began trying to figure out how to better organise themselves to meet the growing security issues around public cloud. But, as these things tend to go, it has been messy. “Best practices” haven’t really taken hold and many organisations are scrambling to figure it out on their own.
Some are looking to their cloud leaders to take responsibility for cloud security and others have strong, proactive security teams that are adapting their practices to the cloud.
Through our discussions, we’ve picked up several interesting insights:
Allow proper governance and control
Organisations need to allow their security teams to have proper governance and control in the cloud or adopt security-first cloud leadership, or both.
We’ve found that the most cloud security-efficient organisations are those with strong security leaders who hold influence and authority over the organisation’s cloud, followed by – especially in the case of cloud-native companies – those with cloud leaders who understand and prioritise security.
Organisations that have the most difficulty getting on top of their cloud’s security are those with very firm boundaries between their on-prem and cloud environments. Often in these companies, we work with proactive security or cloud leaders who want to effect a culture change through education.
Uncovering the current state is key to culture change
We work with these change-makers to help them understand and quantify risks in their public cloud infrastructure so that they aren’t just talking philosophically about taking a new approach. For example, we can show them that 90% of entitlements in their cloud infrastructure are excessive (a typical finding) and that Johnny from engineering can assume an EC2 role that allows him unfettered access to S3 buckets that contain all customer data.
Armed with this internal data, they can hopefully inspire the right stakeholders to come together to build a strong plan going forward.
Cloud security expertise is really hard to find… so don’t wait for it
One common strategy we see emerging but that, frankly, is currently failing, is one of waiting for new cloud security teams to be built.
We’ve started labelling experienced cloud security folks “unicorns” because, generally, we see job openings posted for six months or more. This is for sure the right approach long term, but these teams should be looking for ways to reduce risk in the meantime, because it’s almost definitely going to be awhile.
Utilise tech that harnesses automation and works within your existing workflows
Regardless of organisational structures, we’re seeing that you can’t just throw people at the problem. Because of the complexity of the cloud, the amount of engineering hours required to achieve things like least privilege and/or compliance without the help of tech that harnesses automation is cost prohibitive and highly frustrating.
As an example, a typical identity attached to a resource might have something like 30 lines of code for permissions in the current state, but to achieve least privilege, often needs hundreds of lines. Even small organisations typically have thousands of users and resources, so this very quickly becomes a truly Sisyphean task for anyone.
Any tech should be able to be operationalised by existing people within existing processes. Integrations with IaC, ticketing and SIEMs as well as the ability to RBAC are a must.
Some strategies are ineffective given the maturity of the market
Cloud security is reaching buzzword status and, with that, comes a lot of solution providers, large and small, all vying for share of the budget. Many are currently pitching the dream of an “all-in-one” solution. We’ve heard over and over again that this is all “marketecture.”
Typically, these products do “everything,” but nothing well. Most of the time these offerings are actually separate products entirely, each with its own agent, dashboard and alerts your team can’t possibly respond to (aka more shelfware).
The more successful teams we have engaged with understand that though it is challenging to deal with multiple vendors, a comprehensive, best-of-breed approach is far more effective at really solving the problem right now. Well-run, focused startups like Ermetic are driving innovation with solutions that help customers solve the difficult problems, today, and hit the ground running.
The market will mature eventually (probably through acquisitions) but, like the talent-gap, it will take time.
Don’t wait until the board provides a mandate
At this point, security thought leaders know that the ability to predict the future is a hard requirement for survival. Generally, by the time the board provides a mandate, it’s in response to a major incident and we know who the casualties are. Leaders have to be more proactive than ever in looking at trends and trying to pre-empt threats.
In addition, due to the aforementioned constraints, it takes a long time for a strategy to become realised in terms of actual security posture. Cloud adoption is much faster and is only accelerating; to reconcile this, standard timelines need to be accelerated. This doesn’t mean planning hastily or throwing a bunch of crap at the wall hoping something sticks – but, it does mean looking directly in the face of the challenge; evaluating the current state, available resources and the market for talent/tech, planning accordingly and moving to execution as quickly as possible.
By Kapil Bareja, Co-Chair, DevSecOps, Cloud Security Alliance