Cloud migration describes moving some or all of a company’s IT resources, databases, applications, services and digital assets onto the cloud. The push by companies to move towards cloud-based storage has led to cloud evolution which has, in turn, led to a cloud-first mindset.
With the push towards remote work and digitization seen over the past couple of years, cloud adoption and development is becoming a must-have for businesses. As a result, the four cornerstones of cloud security now must be realized.
In this article, we will explore:
1. Accountability: Using the RACI matrix to identify responsibility
2. Strategy: Envisioning a cloud security roadmap moving forward
3. Visibility: Bringing an entirely secure enterprise back into focus
4. Enablement: Outpacing innovation on the edge to ensure continuous business enablement
Addressing these pressing issues are the initial steps needed in setting the four cornerstones of cloud security.
Beginning with the end in mind, organizations are aiming to continue to provide secure business enablement. To ensure a secure infrastructure, visibility must be apparent. To ensure visibility a cloud infrastructure strategy must be in place and to ensure a strategy is in place, accountability for the initiative must be clear.
Security accountability, of course, is the responsibility of the CISO. Infrastructure complexity, unique vulnerabilities, user access, data security, consistent application controls, inconsistent talent and regulatory compliance are just some of the pressing issues which must be addressed in cloud security.
The RACI Matrix does a good job of providing clarity on accountability. RACI stands for Responsible, Accountable, Consulted and Informed. Several people can be Responsible, Consulted and Informed, but only one person is Accountable. While the CISO must be Responsible, Consulted and Informed, there is a question as to whether that is the optimal job function to be Accountable for the entire cloud infrastructure at any given organization. The CIO, CRO and COO have all been suggested as appropriate executives to take the role of Accountability for the entire cloud infrastructure.
The CISO is accustomed to restricting access to ensure security. Cloud security solutions are traditionally discussed via Infrastructure-As-A-Service (IaaS), Software-As-A-Service (SaaS) and Platform-As-A-Service (PaaS). The concept of anything “as a service” is a key to why CISOs have had to move from running the Department of No to running the Department of Know. The value of cloud-based services resides in high availability. Thus, allowing for business enablement demands the acceptance of new risk.
“Understanding the shared responsibility model with each SaaS and IaaS vendor is essential for organizations to effectively mitigate risks, as while cloud vendors assume some responsibilities, they do not assume all risks on behalf of their customers.”
Kanye Mcgladrey, Cyber Security Hub Advisory Board member
A missive often offered in response to cloud security questions is ‘it depends on your risk appetite’. However while most boards, CEOs and business stakeholders feel that they have a risk appetite which equates to operating at the pace of change, an incident which makes ‘the front page’ is unacceptable.
Bob Turner, CISO at the University of Wisconsin-Madison explains that having a single point of accountability in highly distributed organizations is challenging unless a governance program establishes the concepts of system, data and service/ functional ownership.
“Cloud service is simply using someone else’s data center. The CISO is accountable for cloud security – with the (business) functional owner of the data/service used in that data center being accountable for having the right service at the right cost and delivered at the right time,” he shares.
Operating at the pace of change means operating in the cloud. Thus, enabling the business to operate in the cloud with a security consciousness is the responsibility for which the CISO is accountable. To execute that responsibility, the CISO must ensure that they are consulted and informed in real time of the machinations of operating in the cloud.
The CISO must conceive of a cloud security strategy to ensure that the business consults and informs the cyber security operation.
There are three different aspects of cloud security which need to be accounted for in that strategy:
- Security of the cloud
- Security while accessing the cloud
- Security of the applications and data in the cloud
Security of the cloud
Unfortunately, the security of the cloud depends on the cloud provider. Most global organizations have some combination of Azure, AWS, Google Cloud, Alibaba Cloud, IBM Cloud, Oracle Cloud and/or Tencent Cloud. When one of those organizations is compromised, any organization utilizing the exposed provider must be able to detect the incident and remediate accordingly.
That leaves security while accessing the cloud and security of the applications and data in the cloud.
Also read: The main challenges facing CISOs
Security while accessing the cloud
Secure access occurs with identity as the perimeter. PAM, IAM, Zero Trust, SASE; most organizations have implemented at least one piece of the secure access quadrigeminal. Evolving to a security architecture which utilizes Identity as its centrifugal force has become mandatory.
Security of applications and data in the cloud
The glaring action items of cloud security are clearly in the security of applications and data in the cloud.
- Infrastructure Complexity – Some assets remain on-prem while some assets have been positioned in the cloud. To date, a lift and shift mindset dovetailing into a pandemic-inspired collaborative tool explosion have ensured that any given global corporate enterprise suffers from cloud infrastructure complexity.
- Unique Vulnerabilities – Simply migrating to the cloud opens up unique vulnerabilities. But it is cloud infrastructure complexity which obfuscates visibility and metastasizes threat opportunities.
- Data Security – Identity as the perimeter does help data security if you know who is accessing what, where, when, for how long and for what purpose with the ability to have that identity go through multiple layers of authentication.
- Consistent Application Controls – Security controls are usually where the rubber meets the road, but where we’re going, we don’t need roads. What was once solved by tacit knowledge and key technology needs to now be solved by business acumen and interpersonal skills.
- Inconsistent Talent – Current cyber security talent is not necessarily future cyber security talent. Additionally, surveys have shown that investments in this area topped budget expenditures for the past few years. While it might be an aberration, feedback over the past few months is that secure access is no longer a top investment area. There are inevitable trailing costs for any solution, but the shift in investment could mean that global corporate enterprise is perhaps level-setting on security while accessing the cloud. However, with that security coming through newly sourced solutions, it must be verified and needed talent is perhaps the most important aspect of the CISO role moving forward.
- Regulatory Compliance – Any cloud decisions made must come after reading the tea leaves of proposed local legislation the world over. The concept of saving organizational dollars by not spending in an area that will clearly soon have regulatory oversight has been proven to be foolish.
Top cyber security executives have seen this all before. The implementation of new and increasingly decentralized systems and tools to help manage the security of the enterprise has been happening since the beginning of the information security discipline itself.
As DevOps increasingly occurs in a cloud environment and business users continue to utilize more and more cloud-enabled SaaS tools, the enterprise itself now mostly exists and operates on the edge.
Enterprise has evolved over the past half-decade to once again reside on just ‘one street’ – the cloud. True interconnectedness between supply chain partners has brought true security interdependence. This construct has birthed dependency confusion.
With the evolution of how the business works and how businesses are connected, there has been an evolution in cyber security threats. With the evolution of cyber security threats, some of the install base tacit knowledge is moot.
“A high-level approach is called for which engages procurement to vet potential supply chain partners in order to ensure that a level of cyber hygiene does not present a risk to the purchaser. More to the point, because of the intertwined ecosystem, we have a responsibility to be good citizens and assist supply chain partners when an incident occurs. Not in a punitive context but in a supportive capacity for the greater good. Ultimately, a system like the financial services KYC program is needed.”
Ian Thornton, Cyber Security Hub Advisory Board member
There is a significant global shortage of cyber security talent for the open positions today, in addition to job functions continuing to evolve. Network architecture experts are needed less, while cloud network architecture experts are needed more. Blue team job functions are needed less, while purple and red team job functions are needed more.
Thus, the process of gaining visibility resides in the connective tissue of systems but also the evolution of the people overseeing those systems along with the ability to simultaneously be interconnected with supply chain partners yet not suffer from dependency confusion.
While the need for information security had its onset when humans began to communicate with language, modern cyber security is a relatively recent phenomenon. Lessons have been learned by the good, tactics have evolved for their adversaries and zeitgeist best practice advances accordingly.
“Technology is a reactive protection. People and processes are the weakest links, and behavioral analysis creates visibility to risky users and proactive risk management.” Lisa Tuttle Ciso, SPX Corporation.
The security executive learns from past adversarial strategies to forecast future attacks on a known threat landscape. When the landscape changes, the security executive adapts. Until very recently, a good defence has been the best offense. All things considered; a forward security posture has been assumed in rather rapid fashion- many more conversations these days are had around threat hunting than around firewalls.
“We talk about ‘data breaches’ because of regulatory and statutory definitions that focus on the disclosure of data. An organization’s security strategy should work with the end in mind and focus heavily on denying threat actors access to those data with the highest regulatory, statutory, or contractual risks.”
Kayne Mcgladrey, Cyber Security Hub Advisory Board member
As security has gone from heel to toe, business operations have gone from the ground to the cloud. So, while the philosophy of cyber security has revolutionized, the process of business has transformed. The business simply needs to consistently find and use new and different tools to ensure the organization outpaces change and provides value to shareholders and customers into the distant future. That cannot happen if the company cannot learn from previous security incidents.
So, cloud security embodies the essence of the CISO role. The landscape changes and the CISO adapts. But this adaptation is an evolution. The CISO is now a business executive who must speak with common language to the Board, the CEO and business stakeholders. The CISO must use that common language along with a newly assumed forward posture to find the edge of business innovation and enable it.
Louis Evans, product marketing manager at Arctic Wolf Networks
What is the cloud security landscape?
The fundamental dynamic of the cloud security landscape is the balance of cloud security responsibilities between cloud providers and users. It is more complex than ‘cloud providers are responsible for this, and end users are responsible for that’. It is about understanding shared responsibility: what kinds of security-relevant data cloud providers make available, how organizations can operationalize it and so on. Cloud security vendors sit atop that dynamic and partner with users to help close that gap.
Here at Arctic Wolf, we apply our security operations approach to the gaps most businesses struggle with detection, security posture management, unified security visibility, and so on.
Can you provide a cloud security use case?
Let’s talk about a really basic security best practice: multi-factor authentication (MFA). Everyone knows you need to implement it across your platforms—and especially in SaaS systems, where accounts and logins are the primary target for attackers.
SaaS vendors recognize this, and they offer MFA. However, security is not necessarily the top priority for these SaaS vendors. So, implementing multi-factor authentication is more complicated than it looks. It is not just a question of activating MFA for user login. It also requires going through all of your other settings — API calls, other access pathways — and deactivating single-factor authorizations.
This is all pretty basic, but it still gets very tricky and a SaaS customer may not even know about this vulnerability until it is exploited by an attacker. That is true in this simple case and in lots of more sophisticated, complex cases. That is why partnering with a cloud security vendor can be so valuable.
How can the business engage in SAAS and cloud security best practices?
It is a real challenge. Typically, the gap is people and process rather than technology. Most of the technological requirements for most key security best practices are in place through the cloud provider. They have the configuration options needed, or they make they security-relevant data available. But organizations lack the cloud security experts with the knowledge of all of the best practices they should be implementing, and they lack the processes to go after their vulnerabilities and review their alerts in a systematic way.
Often there is a certain technological gap too, a lack of data aggregation or a pipeline for new security configuration data, but they key gaps are definitely in people and process. Cloud security talent is so rare, and in such high demand.
“A cloud customer may not even know about their cloud vulnerabilities until an attacker exploits them. That is why it is so valuable to partner with cloud security experts.”
Louis Evans, product marketing manager of cloud solutions at Arctic Wolf
How are you helping bridge the gap?
The key ingredient is definitely our concierge security teams, who partner with our customers, bringing their expertise to the table as an extension of those customer IT teams.
Our concierge teams sit on top of an involved security pipeline and process, where we are constantly collecting and updating vulnerability information, security benchmarks, indicators of compromise and comparing them with customer cloud data. All of that together is how we are able to support our customers in such a new, dynamically evolving environment.