As organizations continue to adopt cloud services to achieve their desired business objectives, many don’t realize that the thing that makes cloud computing great – speed, agility, easy implementation and scalability – also make it a nightmare for many security departments.
“The paradigm of cloud computing goes hand in hand with a cultural change that is much bigger than the shift to the cloud itself,” Avi Shua, CEO and co-founder of Orca Security, told Help Net Security.
“Organizations and individuals alike expect to get things done ‘here and now’. Business owners expect new features to be out in a manner of weeks – the very same features that they were willing to wait months for only a few years ago. Naturally, this dramatically reduced the time organizations are willing to devote to security as part of the development process.”
Advice for security teams
Before the advent of cloud computing, a security review taking two weeks out of a six-month project seemed acceptable. Now, when the entire project needs to be up and running in a month, two weeks spent just on security seem obstructively long.
“Nobody, including security professionals, wants to be perceived as the one who is holding back the organization’s progress,” Shua notes, and advises security teams to prioritize their requirements and be clear on which are a must and which are just “nice to have.”
“At the same time, make sure you minimize your reliance on other teams when you verify the organization’s security. The responsibility is on you; you need to be certain that the organization is secure, and any additional dependency allows for mistakes that will prevent you from doing so,” he notes.
Simultaneously, the security team must have complete visibility into all the company’s assets: what are they, where are they, what software they are running, what data is stored on them, who can access them and, most importantly, whether they are configured securely and patched for critical issues.
One thing is the same in the pre- and post-cloud world: most breaches happen when assets aren’t managed well enough.
“Security teams must have the means to assess the security posture of the all of the assets throughout the technology stack, starting at the cloud infrastructure levels of the various providers, via the operating system, applications, and the business data stored and processed on them,” he says.
“This must be done in a bulletproof way without impacting business processes or relying on cross-department integrations. Security tools must integrate the data collected from the entire technology stack so that security teams can focus on the most important items across the multi-cloud environments.”
Why use just one when you can use more?
The advantages of a multi-cloud strategy are many: cost reduction, best-of-breed features for every specific need, reduced possibility of vendor lock-in.
Most enterprises have already implemented a multi-cloud strategy and enjoy the advantages that come with it: cost reduction, best-of-breed features for every specific need, reduced possibility of vendor lock-in. (There are some downsides, as well.)
But companies’ security execs must make sure that the security mechanisms implemented don’t undermine the benefits.
Shua therefore advises to:
- Choose cloud vendors carefully: some are a better fit for a specific organization use case than others. “Each of these use cases has its own unique security characteristics – make sure the use case’s specific security policy is aligned to it.”
- Beware of unmanaged data copies. “One of the dirty secrets of many multi-cloud strategies is the fact that the data needs to be available on many and even on all environments, due to performance and cost considerations. In the vast majority of use cases, the workloads will run on a datastore which is located on the same cloud, either the master replica or a local cache. These local caches are many times neglected from a security perspective (and even unknown to the security team, as they are added after the initial design) and become an easy target for attackers,” he warns.
- Choose security vendors that support all of the cloud environments your organization uses.
- Choose tools that integrate easily and work seamlessly with your cloud providers and your entire technology stack – don’t depend on manual integrations.
- Make sure that you know exactly what’s going on in your environment, in terms of both business risk and technology in use.
Advice for CIOs and CISOs
CIOs who want to push for maximum cloud adoption in the digital transformation process but are aware of the security challenges of such an undertaking should not assume that cloud adoption and security are contradictory.
“Design your security for the cloud-first world, and you will see that you can have it all. It is possible to design security architecture that’s faster, better and cheaper than the pre-cloud world – just make sure that the security is designed for the cloud, and not copied from the pre-cloud workloads,” Shua says.
One thing that must be clearly maintained is a separation of duties: developers and DevOps are in charge of environment implementation, but the security teams must constantly verify that the environment is secure.
Finally, they should think about seeking help from the accounting department.
“They can point you at all of the organization cloud environments – including ones that you never heard of. In today’s world, where you’re always one corporate credit card away from another unmanaged IAAS environment, they can be your ally in making sure that things are done correctly,” he concludes.