What new security risks does the cloud bring, and how can a company minimize these effectively? We spoke with Chris DeRamus, CTO and co-founder of DivvyCloud, for his thoughts on how businesses can transition to the cloud safely and productively.
Chris DeRamus
CTO and Co-founder, DivvyCloud
What sorts of things can be identified as potential threats to data?
Consumer privacy (or lack thereof) is a huge societal concern, and concerns about protecting privacy is manifesting itself through many forms, including regulation like the California Consumer Privacy Act and General Data Protection Regulation. As a backdrop to this is the shocking news that 2019 is on track to be the worst year on record for data breaches, according to a report from Risk Based Security. The research found the number of reported breaches and number of exposed records has increased by more than 50 percent compared to the first six months of 2018, with over 3,800 data breaches reported in the first half of 2019.
The biggest potential threat to data is misconfigurations of cloud services. Too often, companies are not investing appropriately in security and compliance, sacrificing these efforts in the name of speed of innovation. This rush opens them up to both insider and outsider threats, where malicious actors are able to gain access to data that has been exposed unintentionally.
Importantly, it doesn’t have to be this way. Companies are often presented with a false choice, that they can either have security or go fast. In fact, they can have both if they make the proper investments in people, processes, and tools. For example, this emerging category of software that makes up what Gartner calls Cloud Security Posture Management (CSPM) needs to be a required component of companies’ digital transformation strategies.
How do you remedy a threat to your business?
To remedy a threat, you first have to identify it. Too often, companies are blind to the threats that exist in their cloud environments. CSPM software like DivvyCloud can for the first time provide visibility into a company’s cloud environment and, importantly, what threats are there. The next step is to triage these threats, but the challenge is that in the new world of cloud computing, the scale has completely changed. In a traditional datacenter, there might have been dozens of threats to evaluate daily, but in the world of cloud there can be millions of changes and thousands of threats. To address these threats, you need an additional layer of understanding that provides context and empowers security and risk professionals to prioritize remediation.
For companies to truly achieve continuous security and compliance, they need to automate remediation of common threats and challenges, allowing security engineers to focus on the truly high priority and critical threats that require their time and attention.
Is it possible to improve security without sacrificing efficiency?
Yes! This is a false choice. Companies don’t need to choose between security and efficiency, or security and innovation. However, companies still buy into this false choice and, as a result, incorrectly prioritize speed at the expense of security when it comes to cloud. Exacerbating this problem is that too often they also don’t understand the stark differences between risks in the cloud versus traditional datacenters when it comes to how you have to approach security. Too many organizations are failing to understand cloud-specific security risks, like that cloud identity and access management is the new security perimeter. Companies don’t have to make this choice, but they do need to make the right investments. They need to invest in retraining and upskilling existing employees, hiring new employees, redefining processes, and implementing a CSPM software platform like DivvyCloud.
At DivvyCloud, we advocate a complete shift in how organizations deploy and build applications in the cloud by having security built in to the process. This approach prevents cloud misconfigurations from happening through integration with the build process. It also allows developers to move quickly and efficiently while adhering to strong security and governance practices. This results in companies’ ability to enforce cloud security and compliance policies at scale preventatively. Thus, problems never manifest in runtime and therefore can’t be exploited — and developers can now focus on innovation.
Are there certain areas of a business that incur a higher risk?
Any business unit that provides self-service access to cloud services to its staff is at greater risk. This risk is made more critical when combined with a business unit that has access to proprietary or confidential data. The ability to apply good governance across cloud environments starts in part by classifying the level of risk associated with different units, whether that is an application, business unit, or team. Once the classification has occurred, this can provide better application of security tools as appropriate.
For example, Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. However, it’s expensive, so many companies only want to leverage it where appropriate to protect sensitive data. Thus, the first step to leveraging more sophisticated and targeted approaches to improve security is to understand where these should be deployed, and to automate the implementation of these services based on policy and context.
What information are hackers looking for, and how do they use it?
Hackers take the path of least resistance. They start with known vulnerabilities, look for these, and then exploit them. Their goal is to gain access to critical systems and identify data than can be of commercial value. A primary target is personal information such as usernames, passwords, social security numbers, date of birth, credit cards, or other information. This data is then used to execute further exploits and sold on the dark web to other malicious actors who will exploit it. This is why cloud misconfigurations are so frustrating: they often expose personal data directly to the internet (akin to leaving your front door unlocked and wide open), and they fit a pattern that hackers can search out and exploit quickly and easily.
Is total security attainable for a large enterprise?
Total security isn’t possible, but reinventing security for the cloud era can minimize the likelihood of breaches. Approaches like zero trust can substantially minimize the consequences of any security breach. One of the key elements in the cloud era is to make any new strategy scalable and sustainable.
Almost overnight, we shifted responsibility for IT from professionals who spent their entire lives in IT and security and understood the security process to developers and other users who aren’t prepared to own security and compliance as part of their job function. The issues that are happening in today’s security realm, the headlines we are seeing, often manifest from this shift.
Compounding this shift is that the number of people making changes to cloud services and the rate of change have grown exponentially. Companies have gone from 40 IT pros making tightly controlled changes to IT systems to 4,000 developers making changes. They’ve moved from dozens of changes a day to thousands of changes. And they have moved from hundreds of issues to address to sometimes tens of thousands of issues.
To stand any chance of keeping up with the scale and scope of the cloud era, companies must adopt new security approaches and these approaches must leverage automation. Without this, they will not be able to attain reasonable security levels.
Security teams must be proactive at reinventing themselves and advocating for the proper allocation of people and capital to drive needed changes to security in cloud era.