As cloud adoption grows, organizations’ cloud strategy must go hand-in-hand with a security strategy. Anna Van Wassenaer, Cloud Business Development Leader, Europe, for IBM Security Services, and Abhijit Chakravorty, Partner & Cloud Security Competency Leader for IBM Security, join the Security Intelligence Podcast to discuss why it’s important to develop a cloud security strategy and how to get started.Listen to the episode: Developing a Cloud Security Strategy
Staying Apprised of the Threat Landscape
As organizations refine their cloud strategy, so do threat actors. “Leveraging cloud platforms for use as malicious infrastructure is often a favorite ploy of sophisticated threat actors, enabling them to ramp up operations with a single compromise,” according to the IBM Security Cloud Threat Landscape Report 2020.
Chakravorty explains that with more and more workloads on cloud, threat actors are turning to ransomware, cryptomining and data theft. Developing a cloud security strategy can help organizations clarify their security and compliance posture, and continually refining that strategy can help them stay up to date on emerging threats. Having a strategy in place can also help prevent overspending or misspending on clouds security controls.
“Of course you can’t protect what you don’t know, what you don’t have visibility into, so it’s pertinent that you need a security strategy in place,” Chakravorty says. “And then you’re revisiting it on an ongoing basis so that you are up to speed with what are the top threats today.”
Aligning Stakeholders and Getting Started
How do you align stakeholders for a productive conversation about cloud security strategy? Often, the CISO and the CIO think they’re aligned on cloud security posture, when in fact the reality is much different. CIOs tend to be more optimistic while CISOs, who have a view into risk and threats, tend to be more realistic.
Then add developers to the mix. Unlike the CIO and CISO, whose primary interest is proving their company is safe and secure, a developer is looking for visibility. “They want to have tools to not have to reinvent the wheel each time, but to scale the product of their work more easily,” Van Wassaener explains.
So what’s the first step to bring all these key players together to develop a cloud security strategy? Begin with an assessment. “Start with understanding what your current state is across on prem, across private clouds and across public clouds,” Chakravorty advises, “so the real world of hybrid cloud.”
Listen to the full conversation here or check out the episode transcript below.Listen to the episode: Developing a Cloud Security Strategy
Pam: So for this episode, get your ears on the pod and your head in the clouds.
David: We’re revisiting cloud security.
Pam: This is the Security Intelligence Podcast, where we discuss cybersecurity industry analysis, tips and success stories. I’m Pam Cobb.
David: And I’m David Moulton.
Pam: Let’s jump right into David’s conversation with our cloud security experts, Anna and Abhijit.
Anna: I’m Anna van Wassenaer and I am the cloud security business development executive for Europe.
Abhijit: And I am Abhijit Chakravorty and I lead our cloud security competency in IBM security globally and at a European level.
David: And we’re here today to talk about developing cloud security strategy. So to start off, I want to ask what does a lack of a cloud security strategy mean today?
Anna: Well, I mean you can start by saying that most companies are going into the cloud and as they’re going to the cloud, they have to develop a security strategy. I think and we think that every cloud conversation should be also a security conversation, because if done well, you also increase your security footprint.
As advice to companies, they should do this early on and not afterwards as a sort of by-thought of, “How about security?” Because I mean you can’t really trust just the security that is provided by the public cloud provider. It is mostly very well thought of, but in most instances you haven’t thought of everything. One thing is that even in a SaaS model you are responsible for your responsible for the data that you put into the cloud and also for all the process that you provide around it in your company. So you can’t just lean back and think, “I put everything in the cloud and it will be secure.”
David: Sure, so you’re talking about that shared security model that goes on between your provider and yourself. And would you say that that’s one of the things that’s driving urgency and developing those cloud security strategies?
Anna: That is one of the reasons, and definitely that’s the sort of fundamental reason. But another reason is that mostly companies don’t just have one cloud, and they also don’t have everything in the cloud, and definitely not all at once, so they’re moving there on a journey to cloud. And on that journey there are all kinds of threats lurking, and they have to guard for that, because you have one body of information and you’re responsible to your clients for this information. And part of that is on premise. Part is in the cloud where you might have another cloud where this data is also shared. And you might also have all kinds of applications that people have installed, so you know you need a central visibility for really making the cloud environment secure.
David: So as you’re thinking about the CISO, they’ve got this hybrid multicloud world that you’ve just described. And can you talk about the top threats that they’re worried about right now?
Abhijit: It’s a fantastic time to be asking this question, David, because we in IBM security have just published a cloud threat landscape 2020 report. So you can certainly, you know, search it on your favorite search browser and download that. And what we found is it’s primarily three top threats that are impacting our clients and organizations across the globe who have been adopting one or more public clouds. Number one is data theft. Number two is cryptomining, so this essentially is injecting certain software onto workloads that run on public or other such clouds and these software then mine for cryptocurrency, at the expense of the client who’s consuming cloud services. So that’s cryptomining. And number three is ransomware. Ransomware and cryptomining and data theft. All three of them have been around for a while but what we’re seeing is with the advent of more and more workloads on cloud, these are being exploited to a much larger degree for workloads that are running on cloud.
David: Right, so you’re talking about data theft, and that’s where a criminal has an opportunity to take that data and sell it on the black market. Cryptomining, where they’re essentially stealing electricity and having the cloud customer pay for that. And also they get Bitcoin out of it, or a cryptocurrency. And then that last one, ransomware, which is seeming like it’s on the rise this year, so that’s an opportunity for the ransom to be paid. And I know that I’ve seen some reports that are talking about ransomware and destructive ransomware becoming more and more common. So as you think about that, how are companies developing their strategies and maturing their cloud strategies against these types of threats?
Abhijit: Look, of course you know we talked about the challenges of a lack of cloud security strategy, and while security strategy is very relevant, what a lack of strategy means is the security or the risk or the compliance functions in an organization are in the dark about the organization’s security and compliance posture. Of course you can’t protect what you don’t know what you don’t have visibility into, so it’s pertinent that you need a security strategy in place. And then you’re revisiting it on an ongoing basis so that you are up to speed with what are the top threats today. We talked about the three, and what could potentially be the top threats in cloud tomorrow?
At yet another interesting dimension of having a cloud security strategy in place, and this oftentimes is counter intuitive, is strategy is there to protect you from potentially overspending or misspending on your cloud security controls. So you might have, in the absence of a cloud sec strategy, clients could potentially be inefficiently spending both labor hours and deploying technologies and tooling and software to be securing workloads and data and applications on cloud. With a proper strategy in place, one of the outcomes is a rationalization of processes reducing in more optimal labor spent and rationalization of tooling that result in cloud security controls? So these are two very different and yet contributing aspects of putting cloud security strategy in place.
David: For sure, it makes me think about when I’ve gone — you know, when I used to go out of the house — and rented a car and I’d be given the opportunity to grab extra insurance. In fact, I was already covered and I would be overspending if I went ahead and took that opportunity. And so what you’re saying is that that type of thing where if you don’t have full visibility into all the different clouds, all the different environments that are part of your overall cloud estate, you can get to the point where you’ve over invested in security, but not necessarily done a good job of reducing risk.
Abhijit: Absolutely, and that’s a great analogy, and we all know how the rental agencies are extremely keen and cooperative at having you buy adding additional insurance. So let’s have a strategy you step back and think is too. Is this really relevant? Will it protect me for today’s workloads as well as tomorrow’s? Do I really need a third party technology? Could I really leverage technology that’s hybrid cross multicloud, etc.? If you step back and think and have answers to those questions, that’s where we end up with a rationalized set of effective controls.
David: So Anna, there’s a lot of information and maybe even some fear out there. I was wondering if you can highlight some of the top myths you hear about cloud security.
Anna: Yes, thanks very much, David. That is a really good question because these myths are actually the major hurdles for implementing more cloud security and also actually hurdles for going to the cloud, which is much more important because I mean cloud gives efficiency and scale and all kinds of advantages if it is secured. So there are three great myths that we still hear again and again from clients.
The first myth is that cloud is less secure than on premise and that is just only true if it’s not done well. So actually, if the cloud strategy is aligned with the security strategy right from the beginning, the effect is very likely to be much better than before. Because, look at it like this. In the cloud you have a central visibility, and you have and much more speed of reaction and of spotting weaknesses. We have a central overview, but it really depends that security is aligned with cloud.
In our recent IBV study (Institute of Business Value), we actually ask clients that are innovators against those that are much, maybe more conservative, “Do you think that this that security improves if you go to the cloud?” And it was the innovative companies that have aligned security to the cloud strategy that have confirmed with great majority that the security posture is better in the cloud than outside. And it really depends how much you go for this. You shouldn’t wait around until a bridge has happened.
Another myth is that cloud is complex and costly. It can be even more efficient, but also it has to be tackled well. In the same study, more than half of the companies saw complexity as a challenge to security. So that means that they didn’t have the overview and it was too complex and not aligned. Therefore, their security posture decreased. But innovative companies they were running they were running their clouds with more security and they were much more effective afterwards. So actually you have less complexity if you’ve done well and you can also act more efficiently.
David: I love it. So what you’re saying is that the myths are that you know, cloud security is more complex, more costly, and the reality is, if you do that, cloud security or the implementation poorly, that might be true. But there are some innovative companies out there that actually have a stronger overall security posture because they’ve adopted a cloud security strategy along with either their full security strategy or in line with their business transformation strategy.
Anna: Yeah, that is right.
David: Yeah, well that has to be some good news to the companies that are looking at the advantages of cloud. So I would be interested: who’s at the helm driving these cloud security strategies?
Anna: Often the CISO struggles to get budget for security operations because the CIO tends to be much more optimistic. And again in this IBV study we looked at the alignment between CISO and CIO. And whereas both thought that they are very aligned — 90% of both of them thought that they are really aligned with each other — the CIO was much more optimistic about the cloud security posture and cloud security situation then the CISO. They differed by 20% in their perception of security. So CIO, more optimistic, CISO, more realistic because then they saw what threats there were.
And this is the interesting structure in which we operate when we advise companies on their security strategy because we have to take each of these points of view. The usage point of view of the developers: Can you actually work with it and does it help them actually do their work? Or do we have to help the CISO provide arguments for the CIO? So often in cloud security strategy, this is actually what we have to do. We align these three stakeholders to bring them to a situation where the CIO is willing to give budget to give the accord with a security strategy that is then implementable by the developers.
David: Is cloud adoption keeping pace with business agility?
Anna: Actually, the adoption is part of budget and business agility. The developers will have usually work in an agile way and if they work in a DevOps way, they want to include the security aspect. And so that is how it keeps pace, that it is integrated into the development process.
David: So I want to go back to the CISO for just a second and maybe you can articulate the top threats that they’re worried about in this hybrid multicloud world. With that optimistic CISO and maybe the CIO that wants to hold on to some of the budget for other things and developers that are really driving the adoption of new cloud uses for that business agility. It seems complex, and I wonder what do they care about?
Anna: Yeah, what do they care about? Well, the CIO and the CISO of course, they care for regulatory considerations and obligations. They have to prove that their company is safe and secure.
So this is part of their business transformation that, they have to show this and they have to be able to show this at any stage. Whereas the developers are in in a different situation. They want to be aided, and they want to have tools to make this more simple. They want to have visibility. They want to have tools to not have to reinvent the wheel each time, but to scale the product of their work more easily.
David: I know that getting visibility into the hybrid multi cloud environment is A is a common challenge. Can you talk about the methods that are out there for shaping better risk and compliance controls?
Abhijit: You are spot on there. In fact, earlier this year there was a fairly major breach where 250 million records were exposed and could potentially have been siphoned off from one of the large cloud service providers out there. And a root cause analysis that the cloud service providers themselves performed, commendably fairly rapidly, found that this was actually a copy of their customer support records that were hived off to another area of the cloud where analytics platform were running. And while their core customer support record set were secure with the right set of security controls with visibility into it, the copy of this analytics records did not have the same level of security and the malicious actors actually chose the path of least resistance when they were looking at exploiting.
So visibility is key understanding and knowing where your data is flowing. Who is accessing such data and how is this data being processed is the first step towards having a secure cloud posture. And there are a few technologies back supported by processes that enable them. A lot of the cloud service providers are doing some great work on making it easier for cloud consumers to configure security, visibility, access control and other compliance postures themselves. There are a few industry-leading cloud security posture management, or CSPM as the industry calls it an abbreviation, vendors who do the same but do it across cloud. So you would have one visibility and security policy being applied across multiple cloud service providers. The right implementation of such technologies backed by processes that ensure that any change to a particular workload, any change to how those workloads are consumed, are fed back, are configured correctly back into those policies, is key to ensuring a continuous, compliant and visible security posture.
David: So we talked about visibility. I’m curious what are some of the other common challenges you’ve seen for organizations building a cloud security strategy?
Abhijit: If we were to talk about how a client can address their security strategy, the first step would be start with an assessment. Start with understanding what your current state is across on prem, across private clouds and across public clouds, so the real world of hybrid cloud. And we talked about this before. You cannot protect what you cannot see, what you cannot monitor. And a hybrid cloud security posture assessment is the first step towards getting to that wider cloud security strategy. We then would recommend following up on this once you have assessed your current estate. Have a method-driven approach to defining your forward-looking cloud security strategy. It would be tactical to begin with, but should also have a strategic long-term outlook.
And we can help. We help our clients day in and day out, do exactly that. Our method is based on industry frameworks such as the NIST SP 800-53 and the Cloud Security Alliance and whole host of ISO frameworks that enable framing such a strategy.
When we look at such a strategy, we effectively break it down into eight domains and it’s going to be a mouthful, but I’ll quickly go through those eight. So we look at, of course, how should a cloud security governance and an operating model look like? That should be supported by metrics and reporting so that the CISO, so the compliance organization is able to report back to their leadership. How is security metrics functioning? Cloud security, just like cloud adoption, relies heavily on culture and change of culture to look at DevSecOps, to look at agility, to look at everything as a whole.
Then there are the five domains of information security that applies equally to cloud. So securing your data, securing the application set run on hybrid cloud, having a security operation center that’s not just siloed for on pre and separately siloed for cloud but in fact having a hybrid security operation center is key to a cloud sec strategy. Understanding how identity and access management would work in the hybrid world, where not just your employees and contractors have access to workloads, but so do your consumers for enterprise applications. And then finally looking at workload segmentation and security of your network and your servers and workloads and endpoints frame a key part of such an enterprise security strategy.
David: So if you could offer organizations advice on one place to start with developing cloud security strategy, what would you recommend as step one?
Anna: Well, I think coming back to Abhijit’s advice just now: you should start with an assessment, but you should not end there. And that’s really important because many companies are looking at it. But like if you go to a doctor who tells you, you better stop smoking or stop eating all these sweets, if you don’t then implement this advice, you will not see an improvement in your health.
So actually you should have an ambition there because I mean, I’m convinced of that and also see this in the press and publications. Analysts are picking up on companies’ cloud posture. They’re picking up on companies’ journey to cloud and how they’re doing this. Are they going to the cloud and what kind of consequences are they associating with that? So I’m sure that you can realize value increase of your company if you do this well.
And one thing that could be in your ambition, then, is to not just look at the security check, but look at the augmentation. Look at artificial intelligence to find threats before they actually occur, to avoid threatening situations and also be preemptive in them so that you would guard against them happening in the future.
David: Pam, I have some more recruits for hypothetical security kickball team and we talked about this a couple episodes back and we wanted to have the CSO and the CIO. Maybe the CFO and the CEO,w but I think it’s time that we invite the devs to the party, to the kickball team. And as we listened to Anna and Abhijit talk, it was really clear that some of these decisions that are going on in a cloud environment are being driven at the dev level, and if that’s the case, then they have to be on our kickball team.
Pam: Absolutely. I think that’s a nice addition to our zero trust kickball team, which we can just now expand. I have recently gone through some training about SecDevOps and security by design, and I think that’s an important addition. I think that’s really going to help build that kickball team from the ground up.
So the conversation on cloud security really reminded me of some anecdotal stories that I was reading about different data breaches and cloud misconfiguration, and really the idea that companies are using shared cloud services and they’re not changing the default password. And that’s been a significant source of breached records when you start diving into some of those examples. I just find that fascinating, like that’s the basic thing you could do is change your password.
David: That’s right, it actually reminds me of the Cost of Data Breach report that we launched back in July. I think Charles talked about it on the podcast with you and that misconfigured cloud was an important attack vector to consider. I think it was 19% in the 2020 report.
And if you’ve got that really solid strategy on cloud security that Anna and Abhijit talk about, part of that would be going through and executing those policies and implementation at changing your default password so that you’re not subject to those types of really highly successful attacks.
So that’s it for this episode. Thanks to Anna and Abhijit for joining us as guests.
Pam: You can subscribe wherever you get your podcasts. We’re on Apple Podcasts, Google Podcasts, SoundCloud and Spotify. Thanks for listening.