“Cloud misconfigurations cost companies nearly $5 trillion in the last two years alone. Shifting cloud security left will enable developers to be more productive and work together with the security team, resulting in even better cloud security at scale.â€
Organizations are losing the cloud security battle to cloud misconfigurations. In 2018 and 2019 alone, nearly 33.4 billionOpens a new window records were exposed due to cloud misconfigurations, perOpens a new window rel=”nofollow noopener” title=”Opens a new window” target=”_blank”> DivvyCloudOpens a new window . Amid the pandemic-fuelled crisis, cloud-related attacks and breaches have risen exponentially and security teams are hard at work fending off malware, ransomware and network-borne attacks. Â
Despite the growing concerns, no one seems to be answering the real question — how to make the cloud more secure? Toolbox catches up with Chris HertzOpens a new window , VP Cloud Security Sales at DivvyCloud by Rapid7 who reveals why automation is the key capability to keep pace with evolving cloud environments. Hertz, a well-known industry veteran says as businesses become increasingly cloud-native and mobile, they need to address issues centered around access in the cloud. Â
In cloud environments, everything has an identity — users, applications, services, and systems. Even though this provides enormous flexibility, it also creates an opportunity for substantial risk, as every service is potentially reachable by every other user. Hertz advises organizations need to protect the identity perimeter at scale with automated monitoring and remediation around access management, identity authentication and compliance auditing. Read on to find out how to manage cloud security risks. Â
Key takeaways from this interview:Â Â
-  The top three must-have offerings of an ideal cloud security solution Â
- Cloud misconfigurations continue to cause massive breaches and how to avoid themÂ
- How machine learning is set to play an enabling role in cloud security as automation matures
- Why automation should become a crucial component of cloud security solutions to reduce risks Â
Here’s the edited transcript of the interview with Chris Hertz:Â
1.What are the challenges in cloud security today and how does cloud open new threat vectors?
In today’s landscape, the challenges in cloud security stem from a growing security achievement gap. This is caused by the rate of change and the growing amount of information within the cloud, the accelerated cloud adoption rate, and the sudden digital disruption caused by remote work policies amid COVID-19.
The rate of change coupled with the dynamic nature of software-defined infrastructure has outstripped human capacity. Organizations can have dozens or hundreds of engineers and developers provisioning and configuring cloud and container services, and what’s more, everything in the cloud has an identity.Â
For example, for AWS, there are five complicated layers of Identity and Access Management (IAM) that must be understood in order to process logic of how items are accessed and to securely manage the complexity of identity in the cloud. Approaches and strategies from the datacenter world don’t transfer to the cloud, and companies need to rapidly invest in the process and in supporting tools (including automation) to stay ahead in this complex landscape.
Additionally, as organizations accelerate their migration and adoption of cloud services, they are faced with the challenge of securely deploying cloud and container environments. The race to innovate and maintain a competitive edge should not compromise an organization’s priority on security. Security and DevOps teams must work together to understand and effectively manage the governance, risk, and security of their cloud and container environments before deployment so that all security issues are proactively remediated and don’t result in costly damages.
Furthermore, due to the surge in the remote workforce, companies have increasingly adopted the public cloud and new digital collaboration tools to support off-site business continuity. A MarketsandMarkets analysisOpens a new window found that due to the global impact of the crisis, the cloud market is expected to grow from $233 billion in 2019 to $295 billion by 2021.
All of the above factors have presented challenges for security teams in terms of gaining visibility of cloud security posture, accurately assessing risk, prioritizing top risk items, and remediating issues.Â
It’s important to note that threat vectors are always changing. What is constant is the criticality of managing risk and reducing risk in the cloud. When risk is reduced, the number of threat vectors reduce as well. Additionally, risk reduction results in a smaller blast radius, diminishing the repercussions of a potential breach.Â
Learn More: Why Your Cloud Security Needs to Mature for the ‘New Normal’Â
2. How can CIOs better manage cloud security risk in 2020 and beyond? What changes are afoot in cloud security post-crisis?
Access to infrastructure has been democratized via self-service access to cloud services. CIOs can better manage cloud security risk by engaging everybody who is a participant in creating or managing cloud services. Â
With self-service access to cloud resources, developers, analysts and engineers are now empowered to provision and configure cloud infrastructure, which in itself drives the benefits of flexibility and agility. Yet, not only is access pivotal but so is participation – especially when it comes to cloud security.Â
Unfortunately, CIOs have historically been gapped from participating in the cloud provisioning process.Â
Shifting cloud security left changes this dynamic completely. Organizations can make this shift by integrating cloud security into the CI/CD process and evaluating Infrastructure as Code (IaC) templates before a build for the same security and compliance issues that the CIO’s now evaluate at runtime. This shift left democratizes cloud security and enables developers to be more productive (and really helps stop making security a four-letter word to developers).Â
Security teams need to be able to prevent security risks in the right place and at the right time, and developers and engineers must be empowered to participate in cloud security. Empowering developers means they are more likely to participate in strengthening security and in reducing risk, and this becomes a virtuous cycle through which even better cloud security.
Evaluating risk of security and compliance issues before runtime, and providing feedback loops during the provisioning process to everyone involved, is pivotal in better managing cloud security risk.
3. The toolkit for cloud security is expanding; there’s CASB, IAM, CSPM and CWPP. What are the must-haves in an ideal cloud security solution?
The top three must-have offerings of an ideal cloud security solution are adaptability, automation, and remediation.
Given how configurable the cloud is, every company is working in the cloud differently and using the cloud to solve for different problems. Thus, cloud security software should not be brittle or prescriptive and instead offer adaptability. Tooling that is adaptable enables and amplifies a company’s ability to support the diverse and unique needs of its cloud environment.Â
Secondly, automation is a crucial component of cloud security solutions. The rate of change in the cloud is rapid, and security professionals need to be able to automate the protective and reactive controls necessary to innovate at the speed enabled by cloud environments. By automating day-to-day tasks and automating the orchestration of all cloud operations, small teams can achieve both security and speed at scale with a single unified approach to cloud security.
Furthermore, automated remediation can perform actions such as reconfiguring cloud services, making changes to cloud infrastructure, driving human-centered workflows with integration into systems, and orchestrating workflow actions in other systems. Automated remediation allows security teams to concentrate on issues that require special attention while ensuring routine issues are resolved and reconfigured efficiently.
Learn More: 630% Rise in External Attacks on Corporate Cloud Accounts, Reports McAfee
4. Can you list best practices for ITDMs shopping for cloud security solutions and what are the essential components it should have?Â
First and foremost, when an IT decision maker is shopping for a cloud security solution, they should actively avoid Requests for Proposals (RFPs). Instead, IT leaders should be agile in creating a short list of the solutions, investing in the best proof of concept (POC) from that list. The focus should be on using the time and energy of the buyer and the vendor to really dive deeply into the solution, capabilities, onboarding, support, customer focus, etc. Â
From there, ITDMs should be confident that a certain product can deliver the correct outcomes and the best experiences. The main concern of ITDMs should not be on the technical merits alone, but on if the product is agile enough to support desired outcomes. Additionally, there is a lot of value in having a great customer experience, and vendors must provide exceptional product support.Â
Lastly, cloud security solutions must have a component of adaptability. The cloud is ever-changing and solutions must be able to quickly adapt to serve their customers and solve for issues instantly. For example, ITDMs should seek out solutions that provide a comprehensive bidirectional API and support customization.
Learn More: 3 Strategies for Securing Containerized Applications in the CloudÂ
5. Can you share learnings from the pandemic and how ITDMs should put additional guardrails to secure cloud infrastructure today and beyond?
Unfortunately, the global pandemic exposed many cloud security gaps. Not only has COVID-19 accelerated the shift to remote workforces, but it has also accelerated the digital transformation of many companies, including the adoption of cloud.Â
To secure cloud infrastructure today and beyond, IT decision makers must put additional guardrails around publicly exposed assets within the cloud, identifying excessive permissions and strengthening governance of IAM. This is pivotal due to the complex nature of relationships in the cloud, since everything has an identity.
Also, with security and DevOps teams dispersed and disconnected, stress levels are bound to increase which in turn exasperates missteps and mistakes. Companies must empower developers and engineers to proactively incorporate security and compliance into the CI/CD pipeline before cloud resources are built and deployed.Â
This ensures that cloud misconfigurations, risks, and compliance violations are proactively identified and fixed before provision. This is incredibly critical, given that cloud misconfigurations cost companies nearly $5 trillion Opens a new window in the last two years alone. What’s more, shifting cloud security left also enables developers to be more productive and work together with the security team, resulting in even better cloud security at scale.
Lastly, as more companies adopt cloud, the need for security-based automation will become even more imperative to reduce risk. IT and business decision makers must adopt automation to ensure continuous security, compliance and governance of a company’s cloud system.
6.Your advice on preventing data breaches on the scale of CapitalOne.
Misconfiguring a cloud database, storage asset, or search engine can have massive consequences, especially if they contain company-proprietary data. Capital One’s misconfigured firewall allowed a former employee of AWS to obtain privilege escalation, which allowed access to one of their S3 buckets, and subsequent exposure of over 100 million users’ data. Unfortunately, cloud misconfigurations continue to cause massive breaches. In 2018 and 2019 alone, nearlyOpens a new window rel=”nofollow noopener” title=”Opens a new window” target=”_blank”> 33.4 billion recordsOpens a new window were exposed due to cloud misconfigurations.
Organizations such as CapitalOne, must implement automation to prevent, detect and remediate cloud errors to avoid a data breach. This is especially relevant in today’s landscape, as more and more companies are adopting public cloud for its speed and agility to support business continuity.Â
As companies transition to cloud providers such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP), they must consider a shift towards a new model of security that is centered around continuous and automatic control and enforcement of secure configuration of cloud services. This cannot be a one-time event — secure cloud configuration is a dynamic and continuous process. Configuration must be monitored and enforced constantly, given the rapidly changing cloud environment.Â
7. How do you see the cyber threat detection and remediation space advancing over the next few years?
The cyber threat detection and remediation space will advance its use of automation, and more and more customers will begin to effectively implement and utilize the power of automation to secure the cloud.
Automation is the next frontier, and companies must embrace it and adopt it as an effective tool for ensuring system security. It’s also important to keep in mind that adopting automated remediation in the cloud is not an all-or-nothing undertaking. It can be done in an incremental manner by introducing more powerful remediation automation over time and ensuring that all members of a company’s IT staff are committed and educated on using remediation automation.Â
Over the next few years, we expect to see more and more companies get remediation automation right.Â
8. There’s so much buzz about automation in security? Will there be ML-led advancements in this field and what are the end benefits for security teams?
Machine learning (ML) and artificial intelligence (AI) both have great benefits when it comes to guiding automation. Yet, unfortunately, ML and AI continue to create a lot of buzz, which can result in companies missing out on the impact and benefit that automation available today can provide.
It is also critical to consider the relationship between automation and AI. AI is a result of a machine making decisions to then drive automation. Automation delivers consistent processes at scale.
ML’s and AI’s role in cloud security and in enabling SecOps teams to reduce risk, will continue to grow as automation matures. Reaping the end benefits of ML-led advancements all depends on the company’s maturity with using automation.
For example, companies that are just starting out with automated remediation respond to problems by sending notifications and then leaving physical remediation actions in the hands of a developer. For companies that are further along with automated remediation and are more trusting of the technology, they will impose more stringent remediation behavior in response to a policy violation.
All in all, it all comes down to the scope and maturity of the company, and if they already have specific use cases around automation and/or AI.
Learn More: Rapid7 Acquires DivvyCloud to Bolster Cloud Security Â
9. Rapid7 recently acquired DivvyCloud. Can you tell how DivvyCloud fits in with Rapid7’s portfolio?
Rapid7 has a strong international presence with thousands of customers across the globe, and these trusting relationships with customers provide a great opportunity for DivvyCloud to expand and penetrate new markets.
Before the acquisition by Rapid7, DivvyCloud was mainly focused on the North American market. Now, DivvyCloud can expand worldwide and provide Rapid7’s broad set of loyal customers with a unified data model that understands the security risks related to cloud infrastructure, systems, identity, containers, application security, and behavioral analytics.
Given the nature of Rapid7’s pre-existing relationships, DivvyCloud is now empowered to build in new ways and more quickly. We are excited to provide our customers with the most complete, best-in-class cloud security platform and drive even greater innovation in cloud security.Â
About Chris HertzOpens a new window :   Chris is the VP of Cloud Security Sales at DivvyCloud by Rapid7 where he combines his technical background and cloud technology expertise with his love of sales, marketing and customer success. Chris leads a team of solution architects, and customer success, marketing and sales professionals who partner with customers to deeply understand their challenges and provide the education, insights and solutions they need to accelerate innovation using cloud and container services without loss of control.
Chris holds a Master of Business Administration from the MIT Sloan School of Management, a Bachelor of Science with a double major in Information Management and Technology and Anthropology from Syracuse University, and sixteen technical certifications. He is an acclaimed international speaker on technology topics including cloud adoption. Previously, Chris served as a member of the Microsoft Office 365 Partner Advisory Council, Microsoft United States Partner Executive Board, and Microsoft Worldwide Systems Integrator Partner Executive Board.
About DivvyCloudOpens a new window :  DivvyCloud protects your cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges. With automated, real-time remediation DivvyCloud customers achieve continuous security and compliance, and can fully realize the benefits of cloud and container technology. Freedom is good. Chaos is bad. DivvyCloud supports AWS, Microsoft Azure, Google Cloud Platform, Alibaba Cloud, and Kubernetes.
About Tech Opens a new window TalkOpens a new window : Tech Talk is a Toolbox Interview Series with notable CTOs and senior executives from around the world. Join us to share your insights and research on where technology and data are heading in the future. This interview series focuses on integrated solutions, research and best practices in the day-to-day work of the tech world.
What are your top cloud security concerns? Comment below or let us know on Opens a new window LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!