“My people are overworked! We are understaffed! And you keep increasing the attack surface!!!” Thus said every security person ever. To a large degree, the words ring true. Organizations are taking advantage of new technologies that increase the threat vectors for their already strained security resources. As bad as that is, it is simply the natural evolution of business, where organizations must maintain their technical debt while reaching out to take advantage of the next generation of technologies. Enterprises also need to become more agile and responsive. Not only is the attack surface expanding — the business side wants IT to move faster.
“According to ESG research, 51 percent of organizations report having a ‘problematic shortage’ of cybersecurity skills in 2018. This is up from 45 percent in 2017. This skills shortage has multiple implications. Organizations do not have the right sized teams, and operate in a perpetually understaffed mode. Often, the cybersecurity team lacks some advanced skills in areas like security analytics, forensic investigations or cloud computing security, putting more pressure on the most experienced staffers to pick up the slack.” – CSO Online FEB 6, 2018
Security people are being pushed back on their heels, and the rest of the business is only making it worse. So, where is the “hidden opportunity” in all of this?
What the Cloud Offers Organizations That Is Different
Part of the “hidden opportunity” for security professionals is to take a step back and re-evaluate how they approach security in their organizations. Moving to the public cloud can be their catalyst. If done correctly, organizations will come back to the capabilities that define their security posture, and then determine how those capabilities will be executed in the public cloud.
This focus on capabilities will also help enterprises inherently understand their security standards and regulatory implications. When organizations go to the capabilities level, the conversation moves away from “how can I move a security tool out to the public cloud?” to “what is the capability I am trying to satisfy?” Essentially, the organization gets to rethink its security approach. Most importantly, it gets to try new methods and approaches that embrace next-generation security. Are you smelling the “hidden opportunity”?
Capabilities in the Public Cloud
It does not matter which public cloud you are moving to. Capabilities, by definition, describe what you are trying to accomplish from a technology perspective — or for our purposes, from a security perspective. How you accomplish those security capabilities is a downstream event; therefore, the consideration of security capabilities should always be cloud agnostic. The focus on security capabilities is also not just for a move to public cloud. It holds true for any technology move, whether it involves IoT, SAP, private cloud or any other shift you can think of. Those situations are not relevant to this conversation, but they are important when planning for the future.
What Bubbles Up?
When designing a secure public cloud environment, certain aspects bubble up as primarily important. This does not infer that other aspects are not important; they just play a less significant role in achieving your overall security goal (or paradigm) in the cloud, and are less influential in creating the “hidden opportunity.”
Here are the primary security-related stances you should adopt in every public cloud move. They align with the guiding security principles you should consider within your organization:
1. Assume You Have Been Breached
In this model, it is not a matter of if you will be breached — it is a matter of when. This sets the table for the organization to start from a completely different mindset. It is one focused on both minimizing the opportunities for a breach, and making sure that, if a breach occurs, all the processes involved are mature enough to enable fast remediation. For more detail, read Stuart Stent’s article on why you should assume that you have already been breached.
2. Tag Everything
Tagging is your keystone. Tagging allows you the opportunity to create the metadata that produces the visibility needed in these potentially fast-changing environments. In the ephemeral world of cloud, only tags will allow you to quickly derive meaning from the countless log sources, from either environments or tools watching those environments.
3. Encrypt Everything
Encryption is inexpensive, relatively simple and absolutely necessary. With any public environment, it is a given that you must understand your data and protect it accordingly. There are implications to having your data hosted somewhere else; so, identify, classify and secure it appropriately. By encrypting everything, you give yourself a safety net for misclassified data. You increase the level of obfuscation of all data types, and you allow yourself the ability to crypto-shred–either with the cloud service provider (CSP), or on your own terms, on premises in a bring your own key (BYOK) scenario. The bottom line is: if you do not encrypt at this point, you are subjecting yourself and your organization to real risk when you are in a public cloud.
4. Log Everything
Logs are your buckets of visibility. Use all log successes and failures to understand where you stand in your environment. Control access to those logs by enabling roles, and then access accordingly. Finally, be sure to audit your logs on an annual basis.
5. Life Is Difficult Enough in the World of Identity
Federate into your CSP, and maintain access in your identity source of truth. Do not try to maintain users in yet another source. Use clean roles for role-based access control (RBAC). Reaffirm your role maturity on premises. If you do RBAC badly on premises, start fresh in the public cloud. And absolutely use Privileged Access Management in the cloud. As organizations already know, most problems begin with elevated access. And lastly, cloud is a nonstarter without Multi-Factor Authentication (MFA). Be sure to enable MFA on root access, as well on any privileged access in the cloud.
6. Continuous Compliance Continuously
You do not own everything in the public cloud, but what you do own, you should know intimately and continuously. That means you need to take advantage of existing cloud-native or third-party compliance tooling for the CSP on the cloud infrastructure, to watch for things like unencrypted buckets. You need compliance measures in the image pipeline; you need compliance measures on instances; and you need compliance measures with your data. All this visibility should be combined with automated actions to maintain the velocity the cloud should be giving you.
7. Keep Bad Habits On Premises
You have had 20 years to do things right on premises. You know your technology inside out, and therefore know where the bodies are buried. If you are not doing something great on premises, please, please, please, do not bring that challenge to the cloud. Cloud is your moment to rethink the following processes:
- Image management
- Configuration management
- Change management
- Patch management
- Identity and access management
- And much much more
We hesitate mentioning automation, but in each one of these areas, automation is a key component. If you are not using automation in the cloud, you will not be able to scale securely. It is that simple.
What Is All This About a “Hidden Opportunity”
Scoping out security in the cloud shows you what is possible on premises. The “hidden opportunity” lies in the premise that if organizations can prove security effectiveness and efficiency in a public cloud environment, they can translate those good habits on premises.
You have abstracted your security approach and applied it to the cloud. You have shown that you can achieve automation, secure deployment pipelines, immutable infrastructures, continuous compliance and consistent protection of data, all in the cloud. Now, by applying these security approaches on premises, you will upgrade your overall security ecosystem, your team will no longer be overworked and understaffed — and as security professionals, you can move from being “back on your heels,” to “ready to sprint.” Freeing up time for your overburdened security resources. This ultimately is your organization’s “hidden opportunity” to turn the tables on its security attackers, bringing the fight to them.
