Outsourcing = Cloud Security Nirvana?

A common refrain I hear when I speak with customers about how they manage the security of their cloud environments is they have outsourced their cloud management to a managed service provider to ensure nothing will ever go wrong. I'm not a betting man but I would take a safe bet against this position knowing Murphy's law is on my side. Most customers suffer a cloud breach because of simple operational mistakes - proving the analysts right over and over again.

Outsourcing of cloud management and operations to specialist service providers is almost a no-brainer for most organisations . Without this kind of support, many organisations would struggle to execute any of their cloud projects since skills are always in short supply. They also bring the expertise, frameworks and best practices including cloud security hygiene. So why are breaches on cloud still such a common occurrence?

Much of the focus while embarking on a cloud project or cloud adoption in general is around cost optimization, agility and time to market - which are all crucial in making a cloud transformation successful. This is especially true for customers moving from rigid and slow to scale private data-centers and slow to change monolithic applications to the cloud. The issue is certainly not missing pieces of technology, model frameworks, regulatory guidelines or even best practices. So where is the problem?

There is a fundamental issue of how organisations define (or more commonly don't define) their security policy, standard operations procedure and escalation / approval matrix when it comes to cloud operations and security. Lets just call these cloud security "guard rails" (pun intended with the image above) that keep internal teams and the cloud management vendor from making costly mistakes. Outsourcing their cloud operations does not absolve organisations from defining these guard rails since the cloud environment and the data is owned by them and not the managed service provider. Also you need to have enforcement of these guard rails to ensure everyone follows them and exceptions are made only with the right authority and leave a full audit trail.

So we come back to the moot question - if organisations have outsourced their cloud operations because of lack of expertise, how can they possibly define these guard rails. Some of this is just common sense and can be transposed from your existing on-premise environments. For example, all network communication must be secured with a next generation firewall - would you host anything on your data-center without it? Just critically analyse the firewall capabilities natively available in your cloud environment to see what is missing. Is that enough? Not really- when you move to cloud you get a fully software defined environment so even your next generation firewall could be bypassed by a operational mistake or misconfiguration. Your cloud environment also comes with fine grained security controls aimed at ensuring your environment and data are safe. They are not however turned on by default - and for a good reason - no two customers have identical environments or architectures. So what is needed is a careful selection of best practices and how they should apply to your environment.

All of this may sound very daunting so I would start with this free repository of rules which can be used to gauge the kind of checks you should have in place. The process can become easier with the adoption of CSPM products like CloudGuard where you have ready libraries of best practices and guard rails which can be easily understood (plain English sentences), customized and even defined to fit your organisational standards and architecture. CloudGuard also allows you to visually inspect your cloud environment, automate the compliance to your selected standards and detect any network, user or service anomalies with relevant frameworks like MITTRE ATT&CK

Parting thought - Cloud environments are meant to be flexible and ever changing. So unfortunately there is nothing like cloud security nirvana. However you can take a break and read that news paper knowing you have a fully automated solution that keeps an eye on your cloud environment for you.