Cloud Security Recentralizing Cybersecurity's Fragmentation

The RSA Conference in San Francisco (April 24-27) is just a week away and cloud security is bound to be a key topic. It is always good to come to such events with particular goals and thoughts in mind to help focus yourself through the bewildering vendor space in this field alone. In this article, I want to highlight a particular trend that is emerging: the re-integration of cybersecurity's fragmentation through cloud security.

Twenty Years of Fragmentation

If you think back twenty years ago, for most organizations, security was done by system administrators. Maybe there was a small dedicated team if you were lucky, but they took care of everything. Information security grew and professionalized, to where we now have different disciplines, certifications, academic programs, and a large cybersecurity industry of tools, solutions and services.

With that, security specialized in different areas. Product security and AppSec, network security, intrusion detection, end point security, malware detection and anti-virus, social engineering and OSINT, vulnerability management, data security and data privacy, threat detection and hunt, security incident management and digital forensics, SIEM and SOAR, penetration testing and red teaming, security compliance and audit, governmental policy and regulations, security risk management and maturity assessment illustrates the fragmentation that specialization has brought about.

Many security teams, at least at larger organizations, are organized along those functions. That has made us certainly more sophisticated, but as the continuous stream of breach reports in the media shows, it hasn't necessarily made us more secure. With all that specialization, we may have failed to see the forest for the trees.

Recentralization Through Cloud Security

One of the most fascinating aspects about cloud security is that these three common sources of security breaches have been repeatedly reported in vendor reports for the past five years:

1. Cloud infrastructure misconfigurations (i.e. public storage bucket)
2. Known vulnerabilities
3. IAM credentials and secrets leakage

I think a key reason that the industry as a whole hasn't got a good grip on these problems is that they fall between the gaps of our specializations. Misconfigurations are managed by policy compliance teams. Vulnerabilities as part of a vulnerability management program. IAM leakage is security incident response, but is purely reactive.

Meanwhile, the cloud has given developer teams a lot more autonomy and responsibilities. With modern CI/CD pipelines and everything-as-code, they also need to take care of secure network and service configuration, manage access control and keys, or deploy any security tooling, on top of the security of their code and software supply chain. They also are the ones that need to react to any security incident response and recovery. If in the past different issues went to different teams (network operations, system infrastructure), they now all end up in the same place.

Our fragmentation fails to contextualize security findings. Only when we have good asset inventory discovery and management, enriched with organizational metadata indicating who owns it, what organization does it belong to and other context, do we even know who to direct any findings to. But if each security function sends their own findings and sets their own SLAs, we just bewilder the developer teams with a stream of alerts.

Contextualized, risk-based analysis of findings is critical both to prioritize what is most important and to avoid alert fatigue among both security teams and developers. This can be done in a SIEM through integration of different data sources coming from a variety of detection tools, but most of the newer Cloud-native Application Protection Platform (CNAPP) solutions are also very good at the risk-based contextualization across a wide variety of security capabilities that differentiates findings between something that you have to deal with right now, to something to tackle as part of regular DevOps processes. Especially now that CNAPP solutions increasingly integrate with the development process as well.

Perhaps something to keep in mind, as you wonder the exhibition floor next week.