The cloud’s distributed nature presents a blessing and a curse when it comes to cybersecurity. A long list of individuals are collectively responsible for protecting cloud resources and the sensitive data stored in the cloud.
The functions most obviously responsible for protecting cloud resources typically have “security” in their title: cloud security leader, cloud security engineer, cloud architect or security analyst – to name a few. These roles measure, and are measured on, security performance. But it’s not just security professionals alone who must safeguard cloud assets. It goes back to collective responsibility, a shared model that incorporates identity and access management (IAM), DevOps, compliance operations and risk management teams.
This collaboration often serves as the secret weapon of defenders. But too many “cooks” can make for a cluttered kitchen. Delegating cloud responsibilities down a long line of internal leaders can lead to confusion and inefficiency, especially when everyone has different security priorities, goals, tools, expertise, and criteria. Still, these different segments must come together to unify the disparate parts, for the organization’s success could depend on it.
What exactly should security teams do?
Business leaders should treat their organization’s shared responsibility model as a strength – these are capable technical leaders who can, with some guidance, unify or codify important processes and best practices. To fit this under one umbrella, security teams should consider the following six steps to topple silos and gain much-needed context:
Merge visibility across workloads, identities, and code
As the world moves away from siloed cloud products, teams should adopt tools that offer a holistic view, and then educate cloud personnel on the benefits of this holistic approach. Teams under the shared responsibility model should always consider an attacker’s perspective and have to ability to answer a question like: “How could a realistic threat actor break into this environment?” Greater awareness and visibility across the board means a smoother path toward risk management.
Automate manual and repetitive tasks such as monitoring, detection, prioritization, and remediation
Through automation, security teams achieve consistency and accuracy across the organization. It also increases productivity by letting teams focus more energy on meaningful work that ultimately reduces the organization’s exposure to cyber risk.
Educate IAM teams
In on-premises environments, IAM was an important part of the IT security organization, but it was still effectively a secondary security control. In the cloud, IAM becomes major, as all cloud services are controlled via identity, and teams cannot secure cloud access with legacy tools. In addition to scores of human users who need access to cloud infrastructure, there are also service accounts. With service accounts/machine identities, much more risk can be introduced in the environment. IAM teams need to extend their responsibility to review machine identities. To do so, they need that holistic context.
Amp-up DevOps security
With on-prem, IT folks effectively “owned” the tech infrastructure. With cloud migration, in most cases, this has been passed to DevOps. Developers who build an online banking app may only measure how quickly they’re pushing out new features and not necessarily the security of those features. Plus, the virtual nature of the cloud means IT/security teams are no longer simply “in the next room.” So, to properly educate and communicate with these folks, security teams must adopt tools and processes that help them identify ownership. In addition, should a security concern arise, they must know how to communicate with developers in a way that resonates with them. And security leaders must explain, often graphically, why or where there’s a festering security issue, and then offer concrete solutions via code.
Offer risk teams compliance policies that are clear and accessible
Let’s consider a regulated financial institution: The organization has to comply with certain standards such as NIST or GDPR, which can have broad directives like “encrypted data at rest.” But what does that really mean? Can we translate that into a technical policy to enforce on cloud services that better speaks developers’ language? Risk and compliance teams must see through opaque language and translate it into technical policies. And then, once complete and validated, we have to translate it back into business language for auditors. Such complexity means all personnel must strive toward clear, accessible policies.
Equip incident response teams with advanced risk analysis
Security teams can minimize cyber risk, but not eliminate it entirely. Detective controls are a must, and a lifeline for incident responders. While detection capabilities are still improving in the cloud – and breaches have often been malware-less and crypto-mining-focused – it’s vital to have the ability to quickly identify and block an incident. Look across different cloud services and sample them to collect intelligence – are resources exposed to the internet? Are there backdoors? Can permissions get changed? Red flags are anomalous behavior that resembles a realistic attack path.
It’s clear that by enhancing cloud-resource visibility, security teams can address and contain risks faster. The visibility also improves operational and organizational insights, and fosters a productive spirit of collaboration.
Managing growing cloud environments takes a village. It’s essential to bring teams together with a shared goal of actively contributing to security. Part of that requires understanding individual goals and implementing strategies that leverage as many artifacts as possible.
We should strive to build organizations where cloud resources never become cloud security issues.
Arick Goomanovksy, chief product officer, vice president of cloud security, Tenable
