The Mindset for Cloud Security

Cloud Security requires fresh thinking blended with traditional approaches to Cybersecurity. The Cloud offers deeply nuanced, varied technologies demanding specialized expertise in order to design proper functionality and an effective security posture. Hybrid organizations, those with both a premises-based and Cloud-based technology stack, have an even greater challenge. Aside from the technical challenges in properly stitching things together “so they work,” and then securing that patchwork quilt, the greater challenge is knowledge. And dare I say - Wisdom.

Cloud Security requires the Mindset of Wisdom. You must be capable of thinking beyond risk exercises, annual compliance drills, siloed discussions and instead draw on abstract thinking about the operating functions of the workloads in use relative to a given security control. The nature of the function, and its relation to the entire ecosystem within the Cloud to deliver outcomes through applications, is key to evaluating where they exist within the concept of Cybersecurity. Moreover, you must have the technical visibility and aptitude to glean this context and derive insights and inferences. Yet, across all of these functions the traditional theme of security concepts (i.e. domains) can still be applied.

For example, while access control might technically look and operate very differently, the concept, and hence the security domain remains the same: principle of Least Privilege for access management. The capability to measure the effectiveness of this principle is the challenge, and that's where Wisdom combines with humility to learn new skills to secure this expanding frontier. Learn how to think through specific notions across the vastly complex landscape of Cloud workloads, and you’ve significantly reduced your risk exposure in greater ways than compliance can ever provide. Expert Wisdom is required to stitch together knowledge of function in order to apply purpose and priority for a given security control.

The effectiveness of these security controls can be measured by various frameworks, and we call that compliance. External Auditors evaluate adherence to that “compliant posture”, and essentially validate and vouch for the security posture - at that one point-in-time! Unfortunately, organizing around common security themes as foundational concepts routinely sits in the backseat and compliance becomes the driver (and designer) of the security program. It’s a good starting point, but it can easily lull organizations into an extreme false sense of security, and quite frankly lackadaisical approach to their security posture. Instead, the design phase for every single workload should include the security domains as part of a DevSecOps practice that I’ve written about in other articles. They should be routine considerations in all design iterations, and if done well, compliance mapping and validation is a relatively easy chore.

This is much more effective than marching to the beat of the Auditor’s drum! Do this, and you’ll be the one setting the cadence when they show up, not the Auditors, and ultimately, you'll have a more secure posture. The goal here is to embed security into your Cloud Security designs, build with a continuous improvement process, and routinely test the soft underbelly of assumptions about a given security posture. In exactly the same way applications are built for business outcomes (e.g., earn revenue) and are constantly iterated upon with new features, Cybersecurity is a critical business function that also requires iteration and steady evolution. All too often the greatest mistake is thinking of security with a “set and forget” mindset, and this is exactly the behavior compliance drives.

Wisdom combines knowledge of traditions, humility and receptivity to learning, growing, and applying knowledge to a new context. The technological implementation and enforcement of Cybersecurity in the Cloud or hybrid models requires vastly different technical skill sets. While they can be learned, due to the complexity and ease of mistakes, consider short-term augmentation for your engineering teams. These external teams offer ranges of services from deeply technical architectural reviews to building a DevSecOps practice in parallel with your engineering team. Your teams can learn from these short-term expert engagements, and your security posture will be greatly enhanced with this augmentation of expert knowledge to feed your teams growth into Cloud Wisdom. It's a short-term investment for a long-term payout in repeatable, enforceable, and customized approaches to securing your Cloud and Hybrid workloads.

How do you measure, manage, and validate your Cloud security posture?