Five Key Takeaways to Secure Your Cloud-Based World

This week I joined our Global Service Provider partner of the year British Telecom (BT) for a panel discussion around five key tips to secure a cloud-based world.? If you haven’t watched it you can view the replay here.

There were five key areas covered, many of these may seem simple and yet the reality often isn't the case.? This post is to challenge your business on how you are approaching these topics. ? Are we learning from our mistakes and adapting fast enough, or is the pace of technology innovation ahead of your cybersecurity innovation?

1. Securing the cloud is not the same as securing on-premise

From the Unit42 Cloud threat report for the 1H of 2021 it's clear to see that cybersecurity implementations are struggling to keep pace with business innovation. ? The last nearly two years has seen most cloud strategies accelerate, and cloud by its nature evolves at pace.? As such, the mindset of security “set and forget” simply doesn’t work.? Cloud is dynamic which means understanding what and why to secure it must change.???

• Monitoring must become real time, as processes spool up and down, connections to SaaS processes are on demand.? More critically where to monitor has to change.? Every device is effectively an edge to the cloud world, so understanding your connectivity is no longer a case of monitoring your network, it's monitoring what things you connect to from every edge point.? Apologies for the technical point here but not all of that happens in the way you may think.? Ie.? It doesn’t all happen through the standard web browsing channels.
• Look from the outside in, as well as the inside out. ?If a digital process is redundant in your network, it is still within your secured infrastructure. In the cloud, orphaned or broken digital processes leave data and business IP exposed.? Therefore, businesses must look from the outside in.? Regularly scan the web for orphaned processes, be they ones created and lost by the business or those created by the ever growing shadow IT in the work from home world.?

1. Have a clear understanding of your organisation’s persona and data flows

The cloud sounds like one big space, but the reality is far different, most companies use multiple providers and an increasing array of SaaS applications.? This has hamstrung traditional DLP controls, Radius (remote authentication servers) and internal credential management systems, unable to easily interoperate with all the different cloud processes businesses want to use.??

Effectively there is a dichotomy to resolve, the power of cloud is endless opportunity to collaborate, but each tool and each vendor has its own way of doing so.? Security thrives on consistency, so to understand personas and information flows, security leaders must find new ways of federating across authentication systems in the cloud; they need a common method of understanding and controlling information flows.? I would challenge this creates some key questions:

• What are the processes and tools that each business uses as its baseline to achieve these requirements?
• How do these capabilities embrace new requirements as the scale and scope of the cloud grows? e This could be through cloud native APIs (integration points) or embedded into the edge connectivity process.?
• How does all this innovation integrate with the legacy environment businesses still have in their internal networks?? Plan for the future but don’t forget the past.
• How do you achieve this?? Do you buy it as an outcome, for example, some good SASE (Secure Access Service Edge) offerings will include such capabilities as part of a subscription based services, or do you have the time and expertise to build this out, maintain and run it as part of your own cyber security capabilities.? Will this quickly become a commoditised service? As cyber skills are a scarce resource, is this the best use of your own?
• Where is your data located? - In theory the cloud is global, yet due to cultural nuances priorities around the rights of data access do change around the globe.? It’s important you understand the growing complexities around data sovereignty.? This is going to impact which partners you work with in the cloud, where the data can reside and what controls you must wrap around them.? Many cyber security executives tell me they are having to become (or I should more accurately describe, “partner with”) legal and regulatory experts.

1. Security and privacy by design - bake it into your transformation programs

?

If there is one aspect the cloud has innovated well, it’s automation.? As you mature your journey in the cloud, the notion of shift left is for me about how to break development into microsteps that can be continually evolved, using high degrees of automation.? This creates the oxymoron, businesses want an open secured cloud environment.? Development teams want the space to innovate, whilst we can and should teach them good security coding practices we have to remember this is not their primary goal.?

All of which means we have to consider the following:

• Continuous Governance - be it an evergreen SaaS application where new capabilities continue to be added, or your own application development in the cloud.? Being able to assess if you are meeting your regulatory and governance requirements ongoing is key
• Plan for the future - Security portability - over the last couple of years, many businesses accelerated their cloud transformations.? Often this has meant the shift is now broken down into multiple phases.? Each phase brings with it some specific new security requirements.? What you don’t want is to keep buying new capabilities as you evolve.? You should invest in security solutions that can be migrated through those phases whilst ensuring they meet the requirements of each phase.
• Enable real-time assessment, don’t be aninhibitor,.? Ask a traditional developer what access permissions they need and they would tell you, ask a good DevOps engineer and they should tell you they don’t know, as tomorrow brings new opportunities.? As such you must consider how you dynamically verify and enforce this as part of the automated CI/CD pipeline.? This means: check what it does and needs and dynamically provide the minimum viable credentials, then when tomorrow a new iteration of the application is built the process is repeated.
• Leverage automation - be it instigating incremental copies of a cloud workload to handle capacity or DevOps teams continuing to innovate.? Security tools must be able to leverage real time governance to identify the changes, and apply the relevant security checks and controls without human intervention.? This means leveraging programmatic connection points (often referred to as APIs) that allow security to be a native part of each cloud process.? If you are relying on human interaction then it won’t be security by design it will be security after the fact.?

1. Understand changed risks and strength detection

It's undeniable that in the cloud your attack surface has the potential to grow at pace, as well as change at pace.? What doesn’t change is that not all processes are created equal.? My own personal experience is that the cloud has driven many organisations' desire to understand and implement Zero Trust strategies.? In other words, be able to identify what your critical digital processes are, look at how you reduce the attack surface around them, and ensure they received the focused security monitoring and logging they deserve.? What can make this more complex is everything we have discussed in the previous tips, as well as? security now being a shared model in many instances.? A notion that seems simple in theory, but in practice takes all the visibility, consistency and automation capabilities also mentioned above.?

Businesses need to make this all visceral. ? I would challenge you how you make this happen in your organisation.? My guidance: test, train, test, train, test, train.? Zero Trust is a useful ally here, if you can understand what your critical cloud processes are, consider how you test their resilience.? Include cross-functional teams in fire drill exercises.? What happens if it's hit by ransomware, what happens if the service is down (yes that does still happen in the cloud), what happens if someone in the supply chain process is compromised?? This should be a double win: By including different teams and your exec staff in these drills you raise their awareness to the risks, and more critically you test your businesses skills and capabilities to be resilient to both old and new risks.

I want to re-enforce here, look at where you should leverage your own skills and strengths and where you leverage external services and capabilities.? Which is a nice segue to highlight the final tip:

1. Don’t be afraid to ask for support to achieve your cloud transformation.??

Most of us have areas of specialism. Palo Alto Networks is developing cybersecurity capabilities.? We are not experts in building and running global cloud infrastructures, so we partner with those that are, such as GCP, AWS, Azure.? Likewise, we are not experts in building cloud delivered services, but again, we partner with companies such as BT that are.? We live in a world that is increasingly outcome driven with expectations on time to delivery becoming ever shorter.? If you want to get ahead you probably haven’t got the time to become experts, so lean on the experts that can help you.? But rather than looking at capabilities, focus on deliverable outcomes and who can partner with you to deliver the secured cloud capabilities in the way you require.

Summary

Cloud provides every business with new business and operational efficiency opportunities.? Whether you are consciously aware of it or not, clouds also create new conflicts and frictions.? DevOps teams focus on different goals and metrics, such as pace of change, innovation and time to market.? Security teams like consistency, risks we can quantify and applying measured risk controls.? This paradox of goals has time as a common element.? Cloud is complex, there’s no escaping the fact. This leads to more security telemetry, which requires more security effort to manage, yet the time to act is shrinking.? I hope that these five steps give some clear structure on how you can ensure the cyber time paradox isn’t inhibiting your opportunities to leverage the cloud.?

And remember, what's invaluable is the number of skilled partners that are willing to help you learn along the journey.

What has been your biggest takeaway along your cloud journey? I’d love to hear from you.