Talking Cloud Security with the OWASP Community

Last week I had the opportunity to speak at the Bay Area chapter meetup of the Open Web Application Security Project (OWASP) for the second year in a row. Last year I presented on “The Role of Natural Language in Cyber Security.” 

This year, my talk reflected what we’ve been seeing working with our customers and talking with friends in the industry “The Changing World of Security as We Go to the Cloud.” 

While 2018 and 2019 had a lot of talk about moving to the cloud, this year is when the move is becoming a reality. And very few people on the front lines implementing the move to the cloud fully understand how radically different it is from an on-prem world. 

We commonly see people looking to apply the frameworks they’ve successfully used over the course of their on-prem career to the world of the cloud. They eventually find out that it isn’t going to work. Especially when it comes to security.

Part of the reason I like speaking at OWASP events is they are a good forum to be open and honest about the challenges we are facing in security; we should all be working together and learning from each other. 

A good portion of my talk is on how we are moving from the on-prem world of security to the cloud world of security. We are past focusing on securing the perimeter and must now make sense of and secure distributed infrastructure not owned by or fully managed by us. Reach out and I’d be happy to discuss this further in detail. 

I saw some friends in the crowd so I pulled security experts Jack Maynard and David Hua up with me on stage for an impromptu Q&A. They are both security practitioners who I respect deeply and they work diligently to be at the forefront of the industry when it comes to cloud security. They shared some of their recent experiences of bringing companies up to speed in cloud security and just how difficult it can be to show someone a new way of thinking about security when they’ve spent their entire careers doing certain things in certain ways. There’s still a big knowledge gap throughout the industry that many are not talking about.   

IT no longer rules the world. Engineers can spin up an instance at the snap of their fingers and the last thing on most engineers’ minds is security. Everyone from a chemical company to banks are now IT companies with web applications in the cloud that are used both internally and externally. There are a lot more moving pieces. Endpoint and access controls still matter, but today we need to be looking at data security, web application security, container security, and emerging gaps that are well beyond a perimeter-based approach to security. 

The education element is huge. Now is a great time to re-educate people. In this new world, there are lots of choices to use cloud-native products, yet time and again I see people installing their Palo Alto Firewalls into their cloud instances when this is something cloud vendors can handle. We also need to rethink what data is most important for us to secure and how we organize and prioritize it, because not all data is the same. 

I feel these candid discussions need to happen more frequently because no one should feel like they are alone in figuring out the new world of cloud. We are a community all working towards a common goal. In 2020, I hope to continue working with OWASP and others to spread the message that we are better together as we move to the cloud.