As cloud computing has become ever more central to businesses, the importance of cloud security has grown in tandem. In theory cloud security has an advantage over security before the cloud era – major cloud companies rarely if ever have major breaches.
Yet on the other hand, companies face plenty of challenges and concern with cloud security. What about compliance? Where exactly is our data and who has access to it? What can we allow in the cloud and what must we keep on-premises?
See transcribed highlights below
Download the podcast:
Cloud Security: Cloud Platforms vs. Datacenters (7:42)
Nunnikhoven: "So your statement [that cloud platforms are more secure than on-premise data centers] is correct. We have yet to see a breach of AWS, of Azure or GCP.
"Where we have seen breaches related to those services are in the user space of that, so…It was up to the user to configure something and they misconfigured it or didn't understand the configuration and had a breach there.
"So the famous example is always S3 bucket breaches. Every single one of those cases are where somebody has explicitly taken a step to make that bucket more open and it bit them 'cause they didn't understand the steps they took.
“So one of the biggest things is that if we take data center security which is relatively a known problem set (it's not, I won't say solved, it's known) where you go, ‘Okay, I have a border between what I own and can put my hands around and everybody else.’
“Whether that's a partner, whether that's a region, whether that's upstream of your internet provider, and we normally set up structures to be control points around those connection points, we have layers. So you have your IPS and your firewalls on the outside, hopefully inside as well, but mainly you put them outside.
“You've got additional security controls on other systems, but the idea is you know what's going on.
“So challenge one, in your opening statement there when you said people are concerned about going into the cloud with this myth is that, I would say it's a big myth that your data center's secure 'cause there's probably more holes in it than in a sieve.
“And it is far more porous than you think. So the advantage right out of the gate is when you move into the cloud, at least half of the stuff you're used to securing on your own in your data center is now AWS, Azure, GCP's problem.
“So even if you don't do anything different, half of your normal workload is somebody else's problem, and those three [providers] work on reputation and have some of the best security teams on the planet. Which is why we haven't seen a breach from their core services – because they're paid 24/7 to be monitoring at a level that we could only hope to match on our own.”
Cloud Security and Using Managed Services (3:56)
Nunnikhoven: “So if you talk of more managed service in the cloud, let's use an example of a database. So if we wanted to run MySQL, we could do that in any one of the clouds by getting a virtual server, installing MySQL and running it just like you would anywhere else. Or you can get the cloud service provider to run that software and update it for you and you just get a database connection point.
“And that's sort of the most common use of managed services in the cloud. And there again, the security ones just keep coming because now it's up to them to manage a patch. So if there's a zero-day dropped and there's immediate critical patch that needs to be applied, it gets done without you doing anything, behind the scenes, right? No outage, no downtime, just done.
Now the challenge there is people go, ‘Well I'm special and I have a unique configuration that I need.’ I found, based on my career, talking to people around the world, that's true in 1% of cases where they actually have something that's a show-stopper that's custom and unique.
“But even if you take that managed service question and go to a managed service from a third party company, so somebody who's running something on your behalf in the cloud, that's not a cloud provider, there you need to dig a little deeper into their reputation and their practices.
“For the big three [cloud companies], we know they've gone through just an absolute mountain of logo certifications and compliance frameworks, and they get one of the big five auditing firms to verify that they're holding up their end of that bargain. So there's a trust level there, or it's far easier to make that trust.
“With a smaller MSP, there's a lot of value there, but you need to do a lot more research, you can't just... You know you're safe with Google, Microsoft and AWS. Other providers, you have to do more research.”
Automation: “Systems over People” and Cloud Security (5:36)
Nunnikhoven: “In security in general it's just way easier in the cloud to automate things. So the simple way to think of this is that the vast majority of cyber attacks are automated. So the challenge and the rebuttal I always hear is people say, ‘Well I don't have anything of value, why would people attack me?’ And the answer is, you're connected to the Internet. They don't care about you, they care that you're an addressable device.
“[About hacking even a small site], it's a simple scan where they said, ‘You know what, whatever you were running, if you're on WordPress or what the case may be.’ It was, ‘I found the signature for the vulnerability that I can exploit and I'm gonna do it and I'm gonna see if I get value after I've attacked.’
“But as far as systems over people, what it is, is that cyber criminals and attackers are already automated and we defend manually, which, just think about that. Going up against an automated machine manually is nuts.
“And that's the vast majority of security practices today: their incident response is completely manual. And then you've already lost because even if the fastest incident response is say, ‘You know what, we respond to incidents within 10 minutes.’ Well, that 10 minutes is how many possible function calls, how many network calls? It's already done. You're breached, it's over, they own your network.
“You may be able to mitigate the damage. So, systems over people is really all about automating that defense. But also, there's a huge skills gap in security. We just don't have enough qualified people, and we won't have enough qualified people. We simply can't train them. Career tip, if you want a great career, cyber security is a good way to go 'cause you're not going to be unemployed for quite a long time.”
“And the idea behind systems over people is getting the grunt work out away from the people, push it to systems so that the people you do have can focus on maximum value. So instead of an incident analyst digging through 10,000 log lines to try to find something, having systems monitor those so it pops up and says, ‘Here's 10. Look into these 10, there might be something.’”
Modernize Security (1:42)
Nunnikhoven: “Security, for as much as it's a headline now, it's still a relatively immature discipline within IT.
“And even if you look at the more mature disciplines in IT, like project management, we still fail two times out of three in delivering IT projects, and that's a mature discipline.
“For security, it's even less mature. It's finally now getting the attention it needs because the threats are at an all-time high. So modernizing it is very much stepping back and going, ‘What worked five years ago is not gonna work today.’ For me, as much as I've been focused on the cloud for the last decade as it's come into prominence, my background's in digital forensic investigations and traditional nation-state defense and things. And I understand, it makes sense as how we built all that out. And data center security, totally made sense for the time. The challenge is tech changes so fast, but people change so slow that we haven't adjusted our approach.
“The cloud gives us this massive opportunity to automate things with systems over people. To do things at scale that we never thought possible. And just to take a better approach that streamlines into the way that... Development and ops have embraced it, we need to get there too.”