The pandemic of 2020 ushered in a major shift in the IT landscape. Organizations that once were on-prem and in-office were now forced to work from home and the industry saw a major shift to the cloud. Shifting to the cloud offers flexibility, scalability, and the ability to access files and systems anywhere at any time. On the flip side, it opens Pandora’s box when it comes to privacy and Zero Trust. Jim Reavis, co-founder and CEO of the Cloud Security Alliance (CSA) and a noted leader within the cloud computing community, sheds light on how to solve for these complexities in this week’s Reimagining Cyber episode, “Solving the cloud security puzzle.”
Multi-cloud Leading the Charge
According to one Infosecurity article, 2020 saw multi-cloud adoption growth of 70% year-over-year (thanks to the pandemic and the mass exodus to working from home). The challenge is the hybrid landscape is varied and complex, with a mix of approaches for capabilities all within the same organization (on-prem, cloud, or multi-cloud). Some companies have homegrown tools built in the cloud, others have shifted to SaaS products, essentially “shrink-wrapped software,” Reavis explains.
“A big challenge is how do we harmonize our security framework and our security controls and make that consistent across all these varied areas” he says.
The bigger the organization, the more complex the infrastructure, and there is more of a need for multiple cloud-delivered solutions, which only adds additional complexities. Couple this with the rapid speed of change, keeping up with compliance, and lack of security professionals in the workforce, and things are…complicated.
Shared responsibilities between Cloud Service Provider and Cloud Service Consumers
We can’t forget that there are shared responsibilities between the Cloud Service Provider (CSP) and consumer of the cloud services. Consumers tend to think that the responsibility lies with the CSP, however, by both taking onus that securing data is a shared responsibility, things tend to run smoother. Reavis suggests leaning on NISTs framework and layered approach, which he likens to peeling an onion.
“You think of the SaaS software as a service, the whole business application that exists as layers on top of the platform as a service, which exists as layers on top of infrastructure as a service. And it's a bunch of APIs. And it can be, it can be several companies providing different services and APIs that deliver that full business application,” Reavis says.
By working together, everybody wins, and the end goal (like securing data, for example) is achieved.
Threats in the Cloud
With more and more breaches happening daily, the cloud is no stranger to threat actors. Reavis sites various reasons for increased breaches including:
- Hygiene issues like lack of identity management – you need to product admin root accounts in the cloud, as they tend to have access to more resources
- Lack of automation/continuous deployment
“A lot of what we fear is the sort of deep penetrations into the infrastructure providers and moving laterally in cloud hopping,” he says. “We're trying to stay very vigilant and continue to do research in those areas.”
Zero Trust in the Cloud
Reavis’s passion for Zero Trust shines in this interview. CSA even recently launched a Zero Trust Advancement Center in March. Some organizations felt that they had secure environments for their workforce, but then the pandemic hit. This resulted in a rapid exodus to remote work from much less secure home environments, which changed the dynamic and put organizations at risk.
“You have to go back and look at this, this system that you are trying to secure and look at those components and understand how you can create a strategy and an architecture that gives you enough built-in trust that you have confidence that these systems work,” he suggests.
Reavis says that CSA's viewpoint on Zero Trust is that it’s more of a philosophy that you cannot implicitly trust anything. Therefore, you need to assess the system that you are trying to secure and look at the associated components and understand how you can create a strategy and an architecture that gives you enough built-in trust that you have confidence that these systems work. He believes that Zero Trust is going to be the model everything will need to move to, but it will take time
By sharing the onus of the responsibility of cloud storage and protection of data and working together towards one common goal, organizations can drive their business objectives and achieve success.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.