CISOs are still hampered by bad assumptions and outdated approaches. They should be involved in decisions from day 1 to address unique business needs.
As businesses increasingly migrate to the cloud, chief information security officers (CISOs) face numerous critical challenges in ensuring robust cloud security. Don’t believe me? Experts highlighted this at the recent Gartner Security & Risk Management Summit. Gartner projects a significant 24% increase in spending on cloud security, positioning it as the fastest-growing segment within the global security and risk management market.
Adapt, adjust, execute
The bottom line is that shifting to cloud computing necessitates fundamentally rethinking security. Organizations strive to integrate the cloud into standard business operations, however, this transition has more pitfalls than most CISOs understand. I’ve seen this in my research and my experience as a consultant for 20 years, cloud and prior.
Issues that have been present in traditional IT environments persist in the cloud, such as governance, misconfiguration, insecure supply chains and pipelines, data loss or exfiltration, and failures in secrets and key management. The cloud introduces unique risks, including limited visibility, dynamic attack surfaces, identity proliferation, and misunderstandings around shared responsibility, compliance, regulation, and sovereignty. And this is just the tip of the iceberg.
Most CISOs tell me they have yet to understand exactly what should change. Many feel misled by the cloud provider regarding the work required to secure their cloud deployments. I’ve written plenty of advice to the contrary, but it’s never a good idea to say “I told you so” to someone struggling, so we need to figure out how to do better.
The shared responsibility model
Many CISOs and security teams need clarification about the shared responsibility model used by major public cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. This model delineates the security responsibilities of the cloud provider and the customer and is normally on the first slide of any cloud security presentation since 2008.
Challenges often arise from assumptions related to technology and the extent of the cloud providers’ security obligations. Compliance, visibility of sensitive data, business continuity, and confusing service-level agreements (SLAs) become problems CISOs did not see coming. As one CISO friend of mine said after 12 years of dealing with cloud security: “It was never about ‘shared responsibility,’ it was always all my responsibility, period.”
CISOs often encounter several key pitfalls in managing cloud security:
- Business lines have inadequately addressed security needs.
- The cloud is more complex than initially understood.
- Cloud strategy, architecture, or transformation initiatives often proceed without input from the CISO, who is then expected to make it all secure.
- Failure to collaborate with CIOs to integrate security into platform engineering and devops bottlenecks development pipelines with outdated security processes.
- Old security patterns are applied to new technologies.
No substitute for hard (boring) work
I recommend several strategies for navigating these challenges. Utilizing automated tools to manage cloud environment security is crucial. Automation is your friend. Moreover, establishing robust cloud security governance can help prioritize alerts and secure service edges. Running around in circles for every anomaly doesn’t scale, and the risk of being “the boy who cried wolf” will likely cause a breach.
Consolidating security efforts and working towards immutability are also essential best practices. Additionally, reskilling and upskilling the security workforce is critical to adapting to the evolving landscape of cloud security. Most breaches are caused by a lack of training and not a lack of technology. CISOs understand they can have the best cloud security technology available, but they can’t fix stupid. Misconfigurations are the primary cause of cloud breaches.
Of course, specific issues have to be addressed for your unique needs. CISOs often adopt good ideas from analysts and consulting firms that are the wrong fit for them. Cloud security is never a “one size fits all” solution, and it needs to be systemic to all systems, not installed during the last step of deployment. Enterprises often get into trouble because security is loosely coupled and thus ineffective.
I wish I had a magic formula to give CISOs looking for better cloud security, but it’s about doing things smartly and purposefully to win the game. People hate to hear that—it means more boring planning and research. But there is no substitute.