Burgeoning Security Risks in the Cloud(s)
Kapil Bareja
Thought Leader focused on creating meaningful adjustments in an environment that is rapidly growing | Global 40-under- 40 Cybersecurity | Identity | Cloud Security | Author/Advisor | Investor | Board Member QTE | GCISO |
Is your cloud security posture keeping you awake at night
The promise of DevSecOps is security that is inherent to every phase of the application lifecycle. This means that security processes are incorporated earlier, commonly called “shift left” security. This implies that security best practices are both?known?and?consistently?implemented?across all workloads – which in a multi-cloud world can include any number of disparate environments.
Security professionals must, therefore, take a pragmatic approach to risk management. As in many areas of life, a Stoic approach can help make the unmanageable manageable.
I recently moderated a lively discussion between CISOs at an industry event. The prevailing sentiment was that the most effective risk mitigation ensures the basics are in place to strengthen the foundation. External threats are not keeping these professionals awake at night, but missing something within their control (that can result in exposure) is.?
“Is this something that is, or is not, in my control?” Epictetus
Multi-Cloud Security Threats
A multi-cloud strategy increases an organization’s ability to adapt quickly to the needs of the business but often also increases complexity and reduces visibility across environments.?
The Cloud Security Alliance (CSA) report?The Top Threats to Cloud Computing?called out eleven threats to cloud computing. Of these, less than half were generic threats like account hijacking or insider threat. The rest were specific to visibility, misconfigurations, and a weak control plane.
This reflects a lack of maturity around cloud usage, often a direct result of limited relevant expertise and/or sufficient people to manage these increasingly complex environments.
The only way for today’s organizations to improve their cloud security posture is to supplement their human expertise with intelligent, automated protections. To build security processes that can be incorporated into every stage of the application lifecycle and applied to all cloud workloads and services.
领英推荐
Lack of visibility
Given that you can’t secure what you can’t see, or don’t fully understand, visibility across cloud environments is essential to mitigating cloud security risks. Many providers have tooling to assess the security posture of their own services. However, these can result in an incomplete and disjointed view into an organizations overall posture. And without the context necessary to understand the bigger picture all issues can look similarly important. This makes it harder to prioritize actionable remediation and can result in critical issues getting lost or ignored in the noise.
Misconfiguration
Misconfigurations are a leading cause of public cloud security breaches. They can be the result of a simple fatfinger, a lack of best practice awareness, or a lack of resources to ensure consistency. Misconfigurations have always posed a security risk and proven difficult to eliminate completely. However, in the “always-on, publicly-connected” world of cloud, the potential for – and speed of – exploitations is magnified exponentially.
The Cloud Security Alliance (CSA) report?The State of Cloud Security?found that 1 in 6 organizations had a public security breach last year due to misconfiguration. Our own?analysis?of common cloud misconfigurations identified several high-risk violations:
These violations should seem obvious to even the casual observer yet are prevalent enough to indicate a struggle to ensure basic protection consistently across clouds.
Conclusion
The dynamic, distributed, disparate nature of multi-cloud has introduced additional complexity for teams managing security risk. Challenges that were largely resolved in the datacenter, like limited system visibility and identifying misconfigurations, are not only more challenging across clouds but can also result in larger exposure.