Those that get cloud security right value productivity, speed, and risk reduction to help their organisations succeed.
Cloud use cases are changing rapidly
The introduction of cloud computing represents a radical departure from the data centre, requiring security teams to operate differently to keep cloud infrastructure secure. The shared responsibility model of cloud, which outlines the security responsibilities of cloud service providers and cloud customers alike, has relieved security teams of the burdens of securing physical infrastructure. But what remains on their plate — the virtual server instances, virtual networks, and security groups — all require different tools and approaches to secure.
A decade ago, cloud infrastructures looked a lot more like data centre infrastructures (even though the two are fundamentally different). When comparing the cloud services and architectures teams are adopting today, those early cloud environments looked quite familiar, almost like a “remote datacentre.”
These use cases are still prevalent, but a bigger change is afoot — one that has major ramifications for security. More and more, application teams are building and running new applications in the cloud, as opposed to simply using the cloud as a platform for hosting migrated or third party applications. These teams are leveraging new kinds of cloud resources, and their environments no longer resemble anything you’d find in a data centre.
Changing cloud architectures has upended security
Cloud service providers now offer hundreds of specialised cloud services that teams are taking advantage of, and each specialised service has its own unique security considerations. When these newer services are combined into cloud-native architectures, security teams are realising that what worked before no longer works well or scales well now. Cloud attack patterns have also changed; they now leverage automation to detect misconfigurations, and use API keys to operate against the cloud control plane for discovery, movement, and data extraction. Breach victims are often unaware of these attacks until their data shows up on the internet.
On a positive note, there are organisations that are getting cloud security right. It’s helpful to examine what they’re doing differently to understand why they’re succeeding when so many others are falling short. Development and security teams at these successful organisations are reducing their rate of misconfiguration vulnerabilities, even as their use of the cloud scales in size and complexity. They’re also helping teams across the rest of their organisations move faster and become more productive.
The Five Fundamentals of Cloud Security
All of the organisations that are getting cloud security right, focus on the following five key fundamentals.
- They know their environment.
These teams are aware of every resource running in their cloud, how the resources are configured, and how they relate to each other (it’s not uncommon for enterprise cloud security teams to not be aware of 20% or more of what’s running in their environment). They know which applications are running on what cloud infrastructure, as well as the data involved. And they maintain visibility over the software development lifecycle (SDLC) for their cloud infrastructure, including any infrastructure as code in development and CI/CD pipelines used.
- They focus on prevention and secure design.
The way to stop modern cloud breaches is by preventing the conditions that make them possible, not focusing on detecting and stopping attacks in progress. These teams go beyond simply preventing individual resource misconfigurations and focus on designing cloud environments that are inherently secure against control plane compromise attacks. The cloud security architect role becomes a key role at these organisations.
- They empower developers to build and operate securely.
Today’s cloud security teams know that they can’t do it all, and they focus on empowering other teams to get security right. By providing tools that enable engineers to develop infrastructure as code securely, they’re positioning these engineers to catch and correct issues early, avoid time-consuming remediations and rework later, and to deliver secure infrastructure faster. These security teams also help engineers build security guardrails into CI/CD pipelines, to ensure that vulnerabilities don’t make it into running environments.
- They align and automate using policy as code (PaC).
When security policies are expressed solely in human language and exist in PDF documents, they might as well not exist at all. PaC allows for rules to be expressed in a language that other tools and applications can use to validate the correctness of code and configurations. PaC eliminates differences in interpretation, implementation, and enforcement, and it lets cloud security teams scale their effort without having to scale up headcount.
- They measure what matters.
Cloud security is about operational discipline and getting the right processes in place. Successful security teams identify what matters the most, be it reducing the rate of misconfiguration, speeding up approval processes, or re-allocating resources to higher-value work. They establish their baselines, set goals, and then work diligently toward achieving them. And they’re able demonstrate the security posture of their environment—and their progress—at any time.
Those that get cloud security right view it as an innovation enabler, not a blocking function. They operationalise cloud security across the organisation so that everyone can move faster and more securely.