Three Things Holding Back Cloud Security
A recent PwC report found that a staggering 96% of executives are shifting their cybersecurity strategies due to COVID-19. While the majority of these changes are likely long overdue, the transition to the cloud isn’t a simple “lift and shift” of servers from on-premises to the cloud, but rather a complete rearchitecting of how applications are built, shipped and secured.
But as organizations race to up-level their hybrid/multi-cloud strategies, many cybersecurity executives are hitting roadblocks that are preventing them from properly securing their cloud infrastructure. What is causing the delay? Most organizations’ approach to cloud security is deeply flawed, as I’ll explain below. At best, the dominant approaches to cloud security result in wasteful spending and slow teams down. At worst, they create the illusion of security while exposing enterprises to critical cybersecurity threats.
In order to level the playing field against attackers and build resilience, here are the three most common issues organizations face when trying to secure their cloud infrastructure — and, more importantly, how they can address them.
The Cloud Security Skills Gap
Lack of talent in cybersecurity is a known issue, with 70% of cybersecurity professionals saying the cybersecurity skills gap affected their organization in 2020. However, what is less talked about is how the shift to cloud technologies is contributing to that gap by generating new challenges for existing security teams who aren’t typically used to working with the cloud.
Workforce training programs can help, but another way companies can combat this gap is designating a set of “security champions” across each developer team. These champions can assist the security team by providing a better understanding of their processes, enforcing the controls, and handling the violations in their own teams. This additional “middle layer” of security champions is critical to building out a scalable cloud security strategy and having overall company alignment.
Another equally important initiative for consideration is a joint partnership between the security team and engineering team. There must be a top-down understanding that cloud infrastructure security doesn’t work without total buy-in and support from both sides — security teams need to have close ties with the developers, join team weekly meetings and get to know the teams and the projects. Then, when time comes, they will have more context on alerts and the environment.
Collaboration Across Engineering and Security
Is the security team “a protector” (i.e a group of brave soldiers protecting us from the bad guys)? Or is the security team “an auditor” (i.e. a group that defines policies and then just performs audits to make sure everyone complies)?
While no one wants to be friends with the auditor, we all appreciate the work of the protector. When starting to work together, one of the key challenges that affects the quality and openness of the discussion between the engineering and security teams is around how the security team is perceived and how they perceive themselves. Are they here to help the company catch the attackers? Or are they here to find mistakes? The answer is both, but juggling between the roles is an important balancing act.
For companies that are in their infancy, fostering this type of collaboration is a little easier (as the security team will be created from the onset, with both the correct mindset and skillsets). Usually, the developer team understands (at some point) that there needs to be a security function, and the CISO’s team gets built to provide this as a result. At this point, it is vital that executives clearly articulate the responsibilities of each organization, defining clear roles and responsibilities and how the joint work will occur. When the foundation is built correctly, a company can avoid a lot of headaches as it scales.
For existing companies, however, the organizational problem is much more complex. Because the structure and teams are already in place, it is a major challenge to slowly shift into a new model. As such, these companies should instead create a new center of excellence within the security team that includes a joint task force made up of both security pros and developers that is aimed at working together to build out the organization’s cloud strategy.
Lack of Integration Across the Stack
In addition to aligning an organization’s teams, it’s critical to align all of the technology in the stack. Organizations typically use several different cloud products and services, usually managed by dedicated teams due to the narrow scope of their applicability.
The cloud is ubiquitous, with multiple types of computing coming in different shapes and sizes. When an organization chooses multiple legacy security tools, each of them covers just a portion of the puzzle and this creates three immediate problems:
- Noise – adding more security tools can be like throwing more gas on the fire. The number of alerts just goes up, making it even harder to focus on the critical risks.
- Deployment complexity – each tool requires additional deployment steps. The more tools, the harder it is to ensure all tools are deployed in all environments and the more strain is created for development teams by their security counterparts.
- Coverage – instead of focusing deployment on a single tool, the developers are expected to perform multiple deployments leading to coverage gaps as each team deploys a different subset of the tools.
It’s never too late to do things properly. Applying legacy tools to the cloud requires much more work in the short and long term, causes more frustration for developer teams, and delivers inferior results – as these tools were not built for the cloud and cannot accommodate its complexities.
