Cloud computing can have a transformative effect on the ability to deliver services at scale. But without the right safeguards in place, organizations can easily find themselves treading water when it comes to securing IT assets in the public cloud. In Part 1 and Part 2 of this series, we looked at the challenges of securing public cloud and the steps that organizations can take to address them.
In this latest installation, we’ve compiled the most compelling commentary from our conversations with experts about the challenges and opportunities in securing the public cloud. They include:
- Varun Badhwar, former CEO and founder of RedLock
- Scott Clinton, Vice President of Product and Portfolio Marketing, Qualys
- Keatron Evans, Principal Security Researcher, Infosec
- Kenneth Hartman, Certified Instructor, SANS Institute
On managing and prioritizing risk in the cloud
- Scott Clinton, Qualys: "In order to resolve risk prioritization, you have to work across multiple teams. The security analysts and the IT ops teams have to coordinate in an effective way. And each one today often has their own definition of what the most risky assets are. Because the risk and the risk profile changes [in the cloud], being able to continuously manage and monitor that is critical."
- Kenneth G. Hartman, SANS Institute: "Security teams that have an effective risk management process are well on their way to success. Executive management needs to know what to care about, but on the other hand we cannot constantly tell them that the sky is falling. Information security risk is just one of many risks facing the business, but for those of us in infosec this is what we eat, sleep, and breathe—so we must keep our perspective when escalating issues. The first issue that most organizations have to grapple with is the question of whether they can trust their cloud services provider in the first place. After most companies have done their due diligence, they usually conclude that they can trust the CSP with certain classifications of data, but perhaps not other classifications. That is great, it shows due care, and no one can fault them for that decision."
- Keatron Evans, Infosec: "Part of understanding risk is understanding the environment in which your data, your infrastructure and your people operate in. Just because you can drive a car doesn't mean you understand how the engine works or the transmission works. A lot of organizations moved to the cloud so fast that the technical staff didn't have enough time to learn the environment. And if you don't understand the environment, you can't possibly understand the security risks. The first step is to make sure you get your technical teams the proper training so that they can take a step back from the migration and actually learn the environment. You can't really go forward without doing that."
- Varun Badhwar, Independent: "Given the velocity of development in the cloud, security tools for cloud generate lots and lots of alerts. That makes it very hard for dev and security teams to differentiate between compliance problems versus actual threats. If you think of it as a big funnel, at the top is everything possible that can go wrong, then there’s stuff that’s actually exploitable today that can impact my data and applications, and finally at the bottom there’s stuff being actively targeted at this moment. It’s very important for organizations to be able to understand and delineate between those three groups. The other supercritical concept is tagging, the ability to tag and label our assets in the cloud based on their criticality to us as a business. For example, if I'm a security team sitting in a silo in Cincinnati, Ohio, and I have developers all around the world building applications for me, how do I know which application is production, which application has PCI data, or which application is just my testbed application – I just don't have that context, and all that context comes from development teams. So what's really important in this partnership is that developer discipline of tagging which, combined with the right CNAPP, can be set up in such a way where you really start prioritizing risks that matter."
On staffing and supporting cloud security expertise
- Varun Badhwar: “This is a universal challenge. In order to be proficient in the cloud, you need to have much more of a product engineering background because of the things like shifting security left, scanning templates, getting the pipeline, understanding APIs — you need to be much more technically averse. You can’t read a book in six months and become a cloud security expert. Where we see people having a lot of success is in the DevSecOps movement — this idea that you can’t really think of security as a silo outside of development. And so a lot of the DevOps teams actually have the technical skill sets. So being able to cross pollinate security teams with DevOps teams, and integrate them with a universal charter, is really the only way to solve this.”
- Keatron Evans, Infosec: "Problem one is, we’re combining the two most in-demand and least supplied career fields [cybersecurity and cloud], and saying ‘we want someone who can fill both of these’. So that's problem number one. Problem two: We're asking for these things without providing adequate time for upskilling and retraining. Instead of going out and hiring a bunch of people, look at what you do have and think about the potential for upskilling. And as you recruit people, make sure you have ways to actually measure skill, not just degrees and certifications and resumes. If I can get one person with the right skills, that's probably worth five people with the right certifications and degrees."
On insecure APIs
- Kenneth G. Hartman, SANS Institute: “Smaller and less mature organizations may lack effective security testing of their APIs. It is quite common to see penetration testing reports that show custom APIs that do not properly enforce authorization. By this I mean that low-privileged users may be able to make certain API calls that only an administrative user should be able to make.”
- Keatron Evans, Infosec: "A lot of the APIs that were traditionally built for closed or non-public environments are now just being retooled to access cloud data, cloud front ends and things like that. So what ends up happening is there's a lot of insecurity there, but they weren't meant to be necessarily secure from the beginning. You also have developers that are creating APIs who are not really versed in secure coding. They might be great programmers from the standpoint that they can make anything out of nothing, but being able to code securely is not the same as being able to code. So what's happening is we’re seeing some of the best ideas ever in terms of implementing APIs that allow access to data, but when we look at the security it’s still lacking.”
- Scott Clinton, Qualys: "Our recommendation is to integrate DevSecOps teams with security analysts to make sure they’re sharing the latest vulnerability data. That means taking and performing tests through the development process, like dynamic application testing so that security analysts can continuously monitor the existing APIs and provide feedback to dev teams that these issues need to be solved. But it also means providing developers tools that integrate with their dev cycle so that they can scan the images they're using and begin monitoring library vulnerabilities. So being able to have that shared connection of data and vulnerability information between the developer teams and the DevSecOps teams is a good place to start that collaboration."
On the future of public cloud
- Kenneth G. Hartman, SANS Institute: “I think that 5G technologies and IPv6 will bring the cloud down to us. I expect that in the future, we will no longer think of the cloud as “someone else’s computer, in someone else’s data center,” but it will be more of a pervasive computing metaphor. When I consider the decreasing costs of storage along with the increased processing power and the increases of artificial intelligence and data science, I don’t think that I am going too far out on a limb to say that it will be a brave new world, with all kinds of new challenges and opportunities. Remember that scale changes everything!”
- Keatron Evans, Infosec: "There’s a lot of opportunity as we combine and try to wrap security into everything. Specifically for cloud, there's a lot of reengineering here. Initially when we started migrating, we were trying to figure out how to take our old apps and migrate them to the cloud. And now we figured out there are tools there that make it more efficient just to rebuild those apps and those capabilities from scratch in the cloud itself. Things like lambda, serverless technology and that type of stuff — we can rebuild it from scratch a lot cheaper than trying to migrate the old stuff, and we can manage it a lot more efficiently as well. As developers tasked with creating apps from scratch, this gives us the perfect opportunity to do what we didn't have the opportunity to do 30 years ago, which is to truly bake security into the application build-out process from the beginning. We have that opportunity, now we just have to make sure we take advantage of it.”