People think of moving to the cloud as a "lift and shift'' type effort, when really, it's more like lift, adapt, and shift. And CISOs really need to adapt. Managing risk at cloud speed and scale takes some adjustments. As does taking on increased accountability for cloud security while ceding control to the R&D teams that design and spin up cloud resources.
Still, my experience leading a major cloud migration effort has been that moving to the cloud can strengthen an organization’s security posture, if done correctly. Companies can start by adopting a holistic approach to cloud security, from the first step in the development process through runtime.
Here are three basic steps to a secure cloud migration:
- Always assume the company will get breached: While it’s not a unique mindset, the cloud has different and exponentially more attack vectors, vulnerabilities, and pace.
- Implement proactive measures beyond what's offered by cloud providers: No matter how good the cloud provider’s tools are, it's risky to rely solely on them to protect the company’s crown jewels.
- Create a plan for managing the friction between accountability and authority: In the cloud, these don’t really go hand in hand. It’s a huge topic that deserves a deep dive, but we’ll need a fundamental realignment across development and security teams for CISOs to effectively protect cloud systems and manage risk.
Can security teams stop potential cloud attacks?
Much of the innovation that has occurred in cloud security has focused on “shifting left” or baking security early-on and throughout the development process. However, when it was me and my team migrating to the cloud, we hit a major roadblock when it came to runtime security. And that matters a great deal because regardless of how a company gets breached, attacks always unfold in runtime.
Unfortunately, existing products that aim to detect cloud attacks initially started with a specific and/or different objective in mind, such as posture management, or endpoint security. These technologies were aggregated on top of each other and as they expanded their capabilities, it was an ad-hoc build-out that required an unsustainable amount of configuration and maintenance. Plus, we already know that a patchwork of security tools creates gaps and blind spots.
There were also technological constraints, but advancements in cloud technology such as Extended Berkeley Packet Filter (eBPF) have moved cloud security forward. Simply put, eBPF offers organizations with the “boots on the cloud” needed to deal with the next wave of cloud attacks. And regardless of how an attacker breaches an organization, cyberattacks unfold in runtime.
And just as cloud environments have different attributes than on-prem networks, cloud attacks manifest in very different ways than those against legacy systems. Cloud attacks are seemingly random. Cloud attackers don't use premeditated tactics, tools, and procedures (TTPs) because those rarely work within a cloud environment. As a result, mature attack detection tools such as endpoint detection and response (EDR) products are far less effective in detecting them.
Also, cloud attackers often start with one goal in mind, such as placing a cryptominer, or even an empty VM. But when the opportunity arises to take over an account, access crown jewels or exfiltrate data, they can pounce with a quickness defenders aren’t prepared for. If that’s not enough, they usually present as a legitimate user. Attacks such as Scarleteel, CCminer and Pyloose offer a whiff of what's to come, which in turn helps to shape the next generation of cloud defenses.
Bottom line: runtime introduces a new trajectory for cloud security. When strong risk management and security capabilities are baked into the digital transformation effort – from development through runtime – it shatters the myth that we’ll always have a trade-off between strong security and a highly productive and connected workforce.
Dror Kashti, co-founder and CEO, Sweet Security