Working as a consultant or CISO in the information security sector, I have witnessed several revolutions in technology and IT practices. Several business processes now rely on applications that automatically receive and transmit data from and to computer networks belonging to suppliers, customers, or partners. In order to have full control of our network, we must see who is connected to out organizational network and how they do it.
When Cloud Computing started, many had doubts and did not quite understand the importance of its implementation, rather choosing to observe the companies that did make that choice, needless to say Cloud now is a reality within organizations. It is no longer about whether a company uses it or not, but which one does it, to what extent, and for what purposes.
Does this mean that the cautious and even weak-willed speech by CISOs is totally out of touch? Or that they are naturally chilly conservatives and technophobes? That their vision is totally biased and that they always overrate the risks associated with technological changes?
Questioning something new is reasonable. Just like them, I have had my moments of fear and clear-cut positions when faced with certain practices. CISOs have had to contain their enthusiasm in the face of these revolutions. We live in a world where when “everything is going well”, organizations do not want to hear much about it, but when there is a crisis, we have to be prepared to answer, handle, and manage such circumstances! CISOs responsibilities are increasing at the same pace as IT revolutions, they must often work with small teams and find an unavailable time to constantly update their knowledge. In short, they are always expected to produce more within a short time and with much more limited financial, material, and organizational resources. In this context, it is quite easy to understand why some are not very excited about new technology, or even the desire for a little stability.
Hence, it is not really surprising that when cloud first came to the scene, it sometimes earned a dishonorable reputation in the security world. Especially since many people dramatized the slightest incident or wrongly accused faulty technologies for malfunctions rather than bad practices by their users.
However, that stands incorrect! If confidential data has been stolen from a fully open SaaS storage space on the Internet, the technology is not to be blamed, but rather the end user who considers IAM as being accessory.It is of the same magnitude as blaming a car manufacturer for a stolen car left in a public place with the doors fully open and the key in the ignition.
However, I am sure that security operations are, in many ways, much easier to perform in cloud environments than on-premise. A CISO’s toolbox has been enriched with an impressive number of solutions, which were previously only affordable at the price of significant material and human investments, and whose deployment relied on illusory organizational agility.
I am aware that the cloud has its vices and new risks have surfaced since it started, but my experience in the cloud security sector has permitted me to identify at least four strategic lines that greatly facilitate the appropriation of new stakes related to the cloud. I will go into further detail on this later in the article.
But first, let us start with the positives!
Cloud Security – An Improved Technical Tool
As a CISO, one of my greatest challenges has been to deploy security measures in a standard and global way. It is relatively easy to use encryption within a single application, to enable and collect logs from a homogeneous class of IT components, to ensure that a well-defined group of servers is updated. But the goal is to have encryption, monitoring, patch management, etc. mechanisms that present from one end of the IT chain to the other, which are resilient and constantly efficient even when the IT pack rapidly evolves, or when the applications or the number of users infinitely multiply.
That is where Cloud Security stands out.
For example, it has never been simple to provide a strong, natively auditable encryption architecture that is accessible to everyone and simultaneously managed through a granular access rights model, owing to managed services for encryption key creation and management (e.g. KMS for AWS, Key Vault for Azure or Cloud KMS for GCP), for the storage and automatic rotation of secrets (e.g. Secret Manager for AWS, Key Vault for Azure, Secret Manager API for GCP), or for the management of internal and external certificates (e.g. ACM public & private, Key Vault for Azure, Secret Manager API for GCP).
Similarly, monitoring infrastructure and application spaces is made easier by the activation of monitoring and data centralization services (e.g. CloudWatch, AWS Config, CloudTrail, GuardDuty for AWS, Azur’s Azure Monitor and Advisor, GCP’s Cloud Monitoring, Cloud Asset Inventory, and Cloud Audit Logs). Instance creation, new service activation, resource deletion or modification, noncompliance with a security rule, sudden over-consumption of a resource, these are all events that were previously unidentifiable or difficult to identify, and even less likely to do so in real-time; except at the expense of heavy investment in third-party tools, not to mention operation, maintenance costs, and the additional risks inherent to the inclusion of new cross-functional components to the IT environment.
The same applies to access management. Security stakeholders have one well-known and much-loved mantra “Everything is forbidden, except what is explicitly authorized”. But this usually remains wishful thinking or utopia in environments that are often open by default or based on very simple identity and access management mechanisms.
Cloud environments, on the other hand, more often use the principle of not assigning rights at creation and some offer the possibility, service by service and platform by platform, of setting up fine-tuned and controlled access management to various assets.
Another major advantage of the cloud is the automation of security services. This helps trigger immediate responses in case of feared events or non-compliance, adapt a filtering system to the design and modification of an IT resource, e.g.,: update access rights, isolate an instance, send an alert, delete a resource, activate a filtering rule, etc. With the cloud, defence security teams can easily create and distribute automatic monitoring and response rules that greatly reduce their operational load, as well as their response time.
This allows them to concentrate on activities that need human intervention, namely long-term analysis and improvement. Similarly, faced with an ever-increasing flow of logs, managed cloud services for data collection, cleaning, correlation, and Machine Learning, which are increasingly available and efficient in cloud environments, also help in facilitating and improving this investigation work.
For example, I remember a project carried out within security teams in a company that was implementing a system for detecting anomalies and malicious actions throughout its Information Security system based on statistical algorithms and Machine Learning. This project highly improved real-time monitoring and analysis of environments that were far too large to be supervised by humans alone, eased the identification of weak signals, and accelerated the identification of attack attempts and triggering of alerts. This allowed the Security Operations Center team to focus on the investigation and take quick action toward mitigation.
A final example, amongst others, of the benefits of using the cloud for security, although from a slightly different approach, is the cloud as a security laboratory. The cloud is not only used by business and IT teams to test and improve their practices. Security teams use it as well! How many security projects were stopped because the access time to test an environment was too long and the costs too high? Owing to the cloud, it is now possible to quickly create a sandbox environment to test new solutions, practice incidents or crisis management scenarios on a replica of your production environment, or gamify getting trained in best security practices. The security team should not only ensure that the cloud is safe for users; there is a lot to gain by its usage for the security team as well. This can help it to better master this environment, and therefore, it proposes more relevant security solutions to other entities!
As a matter of fact, all these tools and solutions do not help in handling all the challenges inherent to using cloud. For example, how to manage security in an optimized and centralized way in a multi-cloud environment? In this context, it is difficult to manage security in a centralized and uniform way by relying solely on the wide variety of managed security services offered by each cloud provider. What about the implementation of regulatory requirements, linked, for example, to industry standards or sovereign cloud requirements? How can we improve the exchange between IT and business teams, now that shadow IT practices are largely facilitated by the fact that an email address and a credit card are enough to create a cloud space that can be used immediately?
And incident management! How to absorb and integrate new logs specific to cloud environments into SIEM systems. Or how to design incident handling procedures adapted to environments where, in particular, access configuration is often decentralized and multi-layered? And I am not even talking about the need to adapt security control processes and perimeters, or the difficulties associated with contractual negotiations with often all-powerful suppliers.
There is no “one size fits all” solution to these different challenges and there probably will never be.
Although there is no magic formula, there are a number of key ingredients, methodologies, and operational models that make it much easier to develop an effective cloud security strategy tailored to the specific needs of each organization.
How to handle the new cloud security challenges
First of all, I believe that cloud security is a journey, and like any journey it takes time. The cloud philosophy is: “Start small and grow”. The same applies to cloud security. You could have state-of-the-art on-premise security, with the right processes, tools, and methods in place but that does not mean you can switch to cloud overnight and apply the same solutions to get the same results. In the same way, moving an application often requires an adaptation and refactoring phase, moving “on-premise” security processes and tools to the cloud imperatively requires a review of devices and ways of doing things to adapt them.
All this takes time. The key is to start with a small technical or functional scope, or a pilot business project, to try, to fail, and sometimes to start again immediately (the fail fast principle!). Gradually, you will build your own convictions about the best way to proceed, and you will be better prepared to extend the cloud perimeter covered by security a little more each time.
Of course, all of these require resources. By this I mean building shared capabilities right after. Secondly, I believe that above all, you must be up to date! Many times have I seen security teams writing standards and policies or deploying tools without even logging into a cloud console once. It may sound surprising, but many times I have seen developer teams stamped “DevOps” overnight, ordered to use new tools and cloud services without having received any training in best cloud practices, let alone security practices. Training and practice are very important because you only master what you understand.
Security colleagues, get trained in cloud concepts, CI/CD, DevOps, and Agile philosophies. And fellow developers, architects, SREs, DevOps, get trained in cloud and application security best practices. It is better to have a single welltrained security consultant on your team than an army of employees clumsily trying to fit a circle into a square, especially since it is possible to boost the impact of training programs by supplementing traditional methods with more dynamic, interactive training, and awareness modules adapted to the specifics of your organization: gamedays, HandsOnLab, communities of experts sharing cloud and security practices, project feedback sessions, etc.
Thirdly, I believe cloud and security training programs will facilitate the implementation of a security management system based on collaboration. Do your security teams lack resources? Let us go back to the main principles of the cloud one more time: “You build it, you run it!” Do infrastructure teams build the cloud foundation? So, they must also be responsible for thinking about security issues inherent to these platforms and how to handle them from the onset. Do application teams build CI/CD pipelines and cloud-first applications? They too have to think about security user stories from the start, which will enable them to create strong, protected, and controllable products.
There are many advantages in encouraging IT teams to stop “blandly”, asking security teams to provide turnkey solutions on the principle that “ensuring security is not part of their job”, and then complaining that they do not have the required autonomy to adapt these solutions when they are deemed too restrictive.
On the other hand, it is in the security teams’ best interest to stop mistrusting development teams due to their perceived lack of responsibility and competence in security, and later be shocked by their reluctance to demonstrate autonomy in this area.
The key is healthy cooperation and ideal integration between the different teams. It is necessary to break down silos and build multi-disciplinary teams. Security teams must join ad hoc, or permanently, development and operations teams in order to understand “in situ” the difficulties they face, identify appropriate remedies, and train a few security players who will also empower their DevOps teams to internalize security skills.
Little by little, by getting their hands on pilot projects with a limited and controllable scope, the security and DevOps managers must learn how to co-construct preventive rules, detective controls, and remediation measures adapted to both performance and risk management needs. In short, cloud has its own shared responsibility model, and cloud security must absolutely have its own version within organizations.
As each organization travels through the cloud security world, it will develop its own ways of doing things, adapted to its environment. Since the “one size fits all” approach does not exist, I believe, lastly, that there are some unavoidable principles in designing security solutions:
The first principle is to build security that aligns with the principle of immutable infrastructure. This is an IT service and software management system that favors the replacement rather than the modification of its components.
This philosophy is based on the fact that it is better to manage components, each time renewed “as new”, than solutions that become unstable over time as a result of piling on patches, updates, add-ons, and deploying a cumbersome change monitoring process. This approach reduces incidents, improves security, and greatly simplifies the underlying infrastructure.
The cloud, which derives its power from its automation and Infrastructure as Code abilities, is the perfect playground for deploying an immutable infrastructure. That is why it is increasingly found in organizations that have taken the step of cloud and digital transformation. Security solutions should, therefore, be designed to accommodate this flexible deployment approach: storage space independence, on-the-fly environment mapping, automated policy adaptation, etc. It does not make sense to think of security as an immovable cemented block in an environment whose very strength lies in its capacity for perpetual evolution and re-creation.
The second powerful principle is to start building your cloud security by using primarily the managed security services made available by cloud providers. Not necessarily because they are always the best, but because they are often cheaper, easier, and faster to deploy than thirdparty products. Moreover, they are fully automatable and very often 100% interoperable with each other. These qualities make it easy to practice a “trial and error” logic learning. Trying different action scenarios will help you quickly discover exactly what your needs are and how to implement these services with regard to the specificities and constraints of your organization.
Once you have matured your security model, you will be better equipped to identify third-party or multi-cloud solutions you need to complement or replace, to conduct much more relevant and complete POCs, and challenge your third-party providers on the right topics.
By the end of this article, you may be thinking: but where do I start? Your organization has probably already conducted its first cloud experiments or is even a regular user of these services. Some security measures are already in place, and others are being deployed. How can you verify that the direction taken is the right one, and if necessary, change the course?
My advice is to start by performing a cloud security maturity audit. Not just a technical audit, but a 360° evaluation of practices, knowledge levels, process evolution, and relevance/coverage of security tools in place. To do this, you can use the maturity standards already available, such as Cloud Security Maturity Model of Cloud Security Alliance or AWS’s Security Maturity Model.
Once this assessment has been completed, the second step will be to take the opinions and principles set out in this article and study how you can appropriate, adapt, and implement them in your organization through a progressive and collaborative program, involving at least one representative of all the stakeholders in your organization, well beyond the IT department.
“Rome wasn’t built in a day”, and neither is a successful cloud security framework. Cloud security is a journey, if not an odyssey. And the strength of a trained and united team, an iterative approach, and the use of tools and services designed for the cloud, are the fundamentals that will keep you on course without going from bad to worse.