The cloud can be overwhelming. Counter to the structured and disciplined rigor of old-school, waterfall, data-center-centric application development, there’s code being deployed in a nearly continuous fashion. Traditional servers are history. Penetration tests are so out of date by the time they’re done that CISOs and their teams are left wondering if they actually gained anything from the exercise.
I consistently talk to enterprises that are either beginning or accelerating their move from traditional on-premises infrastructure to the cloud. They anticipate benefits, including increased agility, reduced cost, flexibility, and ease-of-use. But along with this transition comes new security concerns and a bit of fear to top it off. They’ve heard the stories from their colleagues. Many of the security best practices and tools previously relied on are becoming trivialized, like traditional AV endpoint offerings and network scanning, while API-centric security is rapidly gaining traction. Today’s cloud security practices are a big shift from how we’ve been managing security for the previous 30 years.
However, most every organization recognizes the need to adapt and modernize their security policies to continue to achieve corporate goals while taking advantage of everything the cloud can offer. Security, as we know it, can be the ultimate accelerator or the biggest blocker in cloud adoption and technical innovation.
Many security and development professionals are struggling to find the right cloud security approach to fit their modern IT practices. They worry most about the lack of control and visibility that comes with public cloud. But they also don’t want to create the potential for their organization to start falling behind competitors because they’ve slowed or blocked the adoption of cloud or other closely related emerging technologies such as Docker and Kubernetes.
When it comes to cloud security today, there are many issues that organizations are trying to sort through. Here are a few I hear the most and how I suggest addressing them:
1) Viewing the cloud as another product
You can’t assess your cloud security today and assume your assessment holds true tomorrow. Honestly, it probably won’t hold true an hour from now. The cloud is living, breathing, and rapidly changing. Security within this constantly changing environment must be continuous, or it won’t be effective. Traditional security approaches were not created to fit the rapidly changing, elastic infrastructure of the cloud. As attacks become increasingly automated, you need to adopt new security tools and techniques to work effectively in this new ecosystem. Terraform and Ansible are both great options for automating your security stack. Here are a few options to consider.
2) Realizing that traditional scanning just won’t do
Traditional data center security relies on being deployed within an application or operating system, or on traditional network-based IP scanning techniques. In the cloud, this approach doesn’t work. Users run application stacks on abstracted services and PaaS layers or leverage API-driven services that render conventional security approaches ineffective. Cloud environments are so fundamentally different from their static, on-premises counterparts that they require an entirely new way of administering security practices. This means adopting new cloud security technologies that provide extreme visibility by leveraging a combination of cloud provider APIs and integrations with other 3rd party tools. Learn about how to get visibility and context for your cloud deployments.
3) Differentiating real security issues from “noise”
Teams working in the cloud benefit from speed and acceleration, but it’s important to recognize how the approach to security must be vastly different. A major challenge is discerning real vulnerabilities from infrastructure “noise.” All this change and noise make a manual inspection of the infrastructure too slow to be effective. The API-centric cloud world requires a new way for security teams to protect their environments, but not all cloud and IT teams really understand these security nuances. Security automation is one way to overcome the knowledge and skills shortfall that exists in many development and IT shops. Learn how to better automate and enable your SOC.
4) Lack of compliance with API-driven cloud security
The emergence of API-driven cloud services has changed the way security needs to be architected, implemented, and managed. Although the API is a completely new threat surface that we need to defend, it also provides the ability to automate detection and remediation. As compliance benchmarks, like the CIS AWS Foundations Benchmark, are released, we will have the means to assess our security posture against industry-defined best practices. These help to ensure we’re taking the right steps to keep our customers, employees, infrastructure, and intellectual property secure. Cloud migrations are happening quickly, and compliance with rapidly-evolving security requirements is an ever-increasing challenge that must be resolved through automation in order to claim success. Learn more about how to meet data and regulatory mandates.
Whether your organization was born in the cloud or is migrating to the public cloud, building out private cloud, or dealing with a complex hybrid cloud strategy, the cloud is happening—and it is an absolute necessity that we adapt our security practices. No longer is security left to the InfoSec team: we all play a part in creating a holistic, continuous, and rapidly adapting security program fit to support the cloud.