Avoiding Cloud Security Pitfalls
Charlene O’Hanlon and Keith Neilson from CloudSphere talk about the numerous pitfalls enterprises face in keeping their cloud environments secured, including lack of visibility and monitoring for unauthorized or misplaced access, failure to enforce IAM policies, granting access to external parties without security expertise, using multiple IAM solutions across cloud environments and not considering the attack surface opened through misconfigurations of cloud resources and human error. The video is below, followed by a transcript of the conversation.
Charlene O’Hanlon: Hey, everybody. Welcome back to TechStrong TV. I’m O’Hanlon, and I’m here now with Neilson, who is the technical evangelist at CloudSphere. Keith, thank you so much for taking a couple minutes and getting on the Zoom with me. I appreciate it.
Keith Neilson: Yeah. No problem. Nice having me. Thank you.
O’Hanlon: All right, great, great. So let’s talk about keeping cloud environments secure. We’ve had so many organizations that have really kind of pushed heavily into the cloud, especially over the last year and a half or so. But obviously cloud adoption has been on the rise for some time now. So keeping those environments secure is not as easy as some organizations would think, especially if they’ve been traditionally on premises, and arguably that’s much easier to keep secure. So I’m interested, since you guys are very much in the cloud space, hence the name CloudSphere, I thought you guys might actually be able to provide some guidance for organizations as they look to secure their cloud environments. But first let’s kinda lay the landscape, if you will. What are you guys seeing out there right now as far as cloud adoption and the level of security that these cloud environments have today, and what do organizations kinda need to consider?
Neilson: Yeah, absolutely. Well, it’s an interesting question. I think CloudSphere’s in a pretty unique place, actually, with that, and the reason being is we have a solution that kinda fits both sides of a cloud journey that a customer is either on or is about to start, being that we actually help with – kinda break it down into two parts. And we help with both, and the first one being planning and migration, which, of course, as you mention, we really have seen a huge uptake in. I think everyone would agree. The pandemic has really, I think, accelerated a lot of the decision-making that customers were going through. So, first and foremost, we help make the migration and planning phase of that journey, being maybe more complex applications now or maybe new as someone that’s just accelerated to the cloud.
We do that through visibility, and that’s a key word, actually, moving off into Day Two, which we define as being around the security posture and the identity management, making sure that you’ve got the guardrails to securely protect those resources and service that you’ve now got running in the cloud. We help with dependency mapping. We do that agentlessly so that it’s very quick. You don’t have to worry about getting access to certain resources on prem. And then it’s about having these really dynamic, extensible rules and policy to cover that surface area in a way that suits that environment now, right, ’cause you made the point it’s not the same as on prem. By nature, cloud is actually transformation, and so processes have changed. We’ve got this dev-ops methodology. You’ve got dev-sec-opsware. You should be looking a little bit left of center early as possible as these services are being wound up and wound down, which is quite different. It’s a very, very fast-moving dynamic environment, and you need to make sure that you’ve got the right policies and procedures in place to account for the nature.
O’Hanlon: So, to your point, these cloud environments, they’re like snowflakes, right? Each one is gonna be a little bit different regarding what an organization is actually using the cloud for. So I imagine that there is no one-size-fits-all policy regarding security in the cloud. So how can an organization understand what exactly their cloud-security needs are and really recognize where they might be kinda falling down, if you will, in their current security efforts?
Neilson: Well, that’s a really good question. I guess there’s lots of different points to that. The first thing, like anything, is to, I guess, start with a process that looks at what you’ve actually got. What are you actually planning to move to the cloud? Or if you’ve left it late, what do you actually have in the cloud? But it starts with analysis, looking at the different components that make up something like an application, for an instance, and looking at the data. What regulation do you have, if any, on the data? That’s gonna dictate a lot of the policies and the rules and the compliance, actually, that you may or may not want to plied. And then obviously it’s about having visibility. Like I mentioned before, it’s a key word, not just from a planning perspective, but once you’re there, looking at what’s changing, look at what’s aged. That helps with things like misconfiguration, and it’s about having the right instruments to actually measure that, because there’s nothing worse of not knowing what to look for.
And so if you’ve got the tools in place that would allow you to have visibility across multiple environments, there’s a lot of trends now – it was kind of a notion that people would talk about in multi-cloud, but it’s a reality. You’ll come across customers that say, “No, we’re just single cloud.” When you dive deep and you look at – they’ve got SaaS environments. Where’s that SaaS environment hosted? So it’s a real thing, having awareness and visibility and then having the controls to actually measure against things like having compliance standards. Something that we do at CloudSphere is provide best-practice policy against the compliance frameworks that you might be interested in, and that’s applied against all of the services that you can consume in the cloud. So straight off the bat you have almost a template that you can align that suits you based on that analysis that you’ve done.
O’Hanlon: Interesting. And it sounds also like a whole lotta work. I hate to say it, but do you think that this really merits within an organization kind of just one full-time person or maybe multiple full-time people who are just tasked with this cloud management, which should include security? Or do you think that organizations that – maybe it’s not something that has to happen within an organization, that it actually can be maybe outsourced by managed services provider or some other organization.
Neilson: Yeah, again, really interesting point. And, again, look. There’s a few things going on. The clouds that we actually work with, both enterprise and managed services providers – for that very reason. But, really, it touches on a key point, which is something, again, that we look to solve. Where you’ve got multi-cloud environments, all of these clouds are slightly different. They provide their own native tooling, which works slightly differently. The APIs that you would use to control them differs. So there’s a challenge around, to your point, having full-time resource. If anything, if you’re doing it natively, you’ve got an inherent challenge, where right now in the industry, even across at scale, the service providers – there’s a lack of skills and depth and volume to cover all of those environments. So having a tool that’s agnostic allows you to treat them as closely aligned as you can with the same rules, the same look and feel, the same abilities and rules engine actually negates the need to have two – that problem that you mentioned about the staffing and full-timing. And so, secondly, simplifying the need of that individual or individuals by automation, providing context so that they can streamline their attention to what’s actually needed, that’s the kinda thing that we’re helping with. We think that’s actually a really important factor.
O’Hanlon: That’s interesting. Okay. Looking ahead, if you will, as more organizations do maybe go further down the cloud path, do you see that we will have kind of a shift in mindset regarding cloud security? I mean, will it become one of the initial conversations that organizations have when they talk about the cloud? Or do you think that it’s still gonna kind of stay where it is, and they’ll get the cloud up, and then they’ll address security, which, between you and me, I don’t think is the best way to go about doing it. But it seems to be right now it’s – the process is much more linear than it needs to be or that it should be.
Neilson: Yeah. I mean, it’s an interesting observation, and I don’t disagree. I think security is a conversation that is encouraged to be had early. Security is nothing new. A lot of the challenges have existed before, but we’re having to modernize perhaps the way that we implement the appropriate actions. And of course there are new technologies that are cropping up all the time, which make that a problem. A lot of the cloud providers have tried to instill a culture change. Think about things like the shared-responsibility model, this notion that it’s perhaps different than it was before. I think that’s been quite consultative. I think it’s been hard to measure, and I think that’s where you’ve got an opportunity to make sure you meet those requirements, and your responsibility’s in that process. So I think that’s something that really needs some thought and some focus on. It’s the culture change. It’s having the right tools to actually measure against that, give you the awareness and the visibility to be able to measure that effectively.
I think the other challenge that we’ve got is being very quick and easy, easier than ever, to provision access. And it’s been easier than ever to go up and spin up some compute and some services. And you’ve got this fine balance of the beauty of the cloud, right, and the technologies that underpin it, giving you that ability, so readily available. It’s accessible. It’s scalable. As long as you’ve got deep pockets, you probably aren’t gonna get constrained in the fact that it is actually shared compute, because economies of scale, right? That’s what they’ll tell you, and it’s true, equally because it’s so accessible and it’s easy to get hold of, the challenge that security teams have has probably been quite challenged, because you’ve always got this balance of productivity versus control, and so I think it’s just a case of readdressing that question. And like we said, you need all these things that we’ve talked about today to be able to take a step back and assess and then put the right process and tooling to support those processes in place.
O’Hanlon: Right, right. Well, I also think that security has been kind of a moving target, especially in the cloud space, and I don’t see that changing any time soon. I think we’re always gonna have to be very, very aware of what’s happening within the cloud and within the cybersecurity industry at large. So I think that anything that can help organizations kinda get a better handle on their security of their cloud services and their cloud – [clears throat] excuse me, their cloud environments is a technology that’s gonna be very well received. So I’m actually excited to see what’s gonna be happening in the cloud-security space over the next few months. I think it’s gonna be some interesting stuff.
Neilson: Indeed. Yeah, I couldn’t agree more.
O’Hanlon: All right, Keith. Well, thank you so much for taking a couple minutes and having the conversation with me about securing cloud infrastructures and so much more. So, thank you very much, appreciate it.
Neilson: Yeah, no problem. Thanks for having me. Thanks. Thank you.
O’Hanlon: Okay. All right. All right, everybody. Please stick around. We’ve got lots more TechStrong TV coming up, so stay tuned.
[End of Audio]
