Evolving Security to Meet the Challenges of the Cloud, Part 1
- September 13, 2022
The widespread move to the cloud has forced organizations to restructure themselves to be more flexible, scalable, and adaptable in various ways. However, these advancements have posed new challenges to cybersecurity experts. Cloud security requires a different approach to managing risk and designing security controls because it is a shared responsibility model, and cloud service providers constantly release new features and services. The industry has had to redefine what it means to build a strong security posture. The challenges of the cloud are new, and the solutions are also. However, the structures of those solutions are familiar to anyone who’s been in the cybersecurity industry for any length of time. No single technology or process will solve today’s problems, but rather it’s the time-tested combination of people, process, and technology.
The race for best practices is on
Hackers defeating complex security isn’t the most significant enterprise risk. Misconfigurations and improper setups remain the largest contributors to cloud data breaches. The Capital One breach, for example, was primarily due to misconfigurations and excessive permissions.
And it’s not simply initial misconfigurations that are the problem; configuration drift is also a significant issue. Configuration drift is usually down to changes made in production workloads without proper consideration given to security. Businesses are usually mostly focused on enabling their critical use cases. Modern businesses react quickly. They’re flexible and adaptive. This means deploying new features and software in the cloud environment as quickly as possible to maintain their edge. Security can, at times, become a secondary consideration. Ultimately this is about the balance between innovation and security. The risk is we move so slowly we stifle innovation, or we move so quickly and don’t effectively mitigate risk.
In the wake of such challenges, there has been a race to develop a set of best practices that can account for such egregious oversights. The stable security perimeter of legacy institutions is being replaced by an amorphous multi-cloud environment subject to constant change. Attempts to extend traditional security approaches have caused an increase in complexity and lack of visibility. How, then, do we proceed?
Process: shift left and continually improve
As with every other enterprise-level system connected to the internet, cloud instances must be built with security in mind. Rushing to set up an enterprise cloud and planning on returning to develop the security later is planning for failure. Retroactive security measures are never as effective, and organizational friction often slows or prevents implementation.
All major cloud providers provide robust best practices and implementation guides and wizards to help set things up correctly. In the race for cloud adoption, sometimes implementations are rushed to meet business objectives, but this is not a corner that can be cut safely. Cloud architects and security teams must take the time to set things up with security in mind from day one — and keep it in mind as they move forward.
Software companies will be well aware of the CI/CD pipeline — continuous improvement and continuous development. The CI/CD pipeline enables developers to build, test, and incorporate changes to code more frequently, producing better quality code that can be deployed automatically. However, creating this pipeline only works if the software/service architecture is built in a way that supports iterative releases and makes it critical that precautions are taken during the initial stages of the software development process. Infrastructure as Code (IaC) is a prime example. IaC is designed to make cloud provisioning simpler, faster, and predictable. However, misconfigurations are practically unavoidable if security is not applied at the IaC layer. And this can all be foreign territory for organizations outside the software development industry, but it’s critical to building robust cloud security.
That leads us to the second pillar: the people, found in part two.
This was the first in a two-part series on Evolving Security to Meet the Challenges of the Cloud. Continue the series here.
Tune in to our expert panel discussion on Continuous Security in the Cloud.