Cloud security has been pushed into the forefront as security leaders adapt to the realities of the pandemic and the shift to hybrid work, while CISOs are simultaneously looking for ways to simplify security across their entire portfolio.
With cloud spending at an all-time high, every flavor of ‘as a Service’ solutions have been adopted to support the flexible working environments organizations are now in, from the enterprise to SMB markets.
To offer business enablement and continuity, of which cloud is instrumental in driving forward, security needs to be at the forefront.
Adam Gavish, co-founder and CEO at DoControl, a provider of automated SaaS security, pointed out most CISOs have adopted the Zero Trust security model.
“Many have also put in place several foundational solutions to secure access for the various identities that are connecting to critical systems and applications,” he said. “It’s important to not stop at the ‘identity security’ layer, highlighting the need for more granular level access controls throughout the IT estate.”
This is even more important for the applications that are driving business enablement and supporting business continuity.
He pointed out the hand of many organizations was quickly forced to support remote work almost overnight, and the adoption in cloud infrastructure and other as a service solutions was an easy fix to keep the business running.
“Most organizations were well underway in their cloud transformations and migrations, but these journeys were streamlined given how quickly we all had to react,” he said. “Anytime you introduce technologies that enable the business, there are always security implications and considerations that need to be addressed.”
Taking into consideration the rate in which digital transformation and cloud migration took place over the last couple of years, Gavish said organizations need to take a very close look when evaluating their existing security posture and programs.
“Attackers have recognized that dramatic IT changes were hurried to support the remote workforce,” he said. “They will be looking to exploit some of the soft spots and vulnerabilities that emerged with the influx of remote work.”
Douglas Murray, CEO at Valtix, a provider of cloud native network security services, said the biggest issue many organizations face is the complexity of cloud security, especially with multi-cloud environments.
“CISOs need to really consider that 2022 is the year to create a cloud security architecture that will enable them to meet business needs and agility requirements while maintaining security and compliance,” he said. “Otherwise, they risk becoming a roadblock to digital transformation.”
Like Gavish, Murray also pointed out the shift to remote work has increased the use of disposable compute-infrastructure, collaborative resources, and SaaS solutions to complete business operations.
This fluidity in the cloud tech stack, paired with the shifting threat landscape, creates a volatile attack surface.
“Volatility reduces the capability for security teams, but automated prevention and visibility can combat these moving risks, allowing the enterprise to take back control of their cloud environment,” he said.
Murray said the cloud doesn’t need to be complex to secure, and in fact it should be much easier, noting simplicity is really the promise of the cloud.
“Unfortunately, the haphazard way that organizations have invested in cloud security has left a lot of technical debt and duct tape where technology is lift and shifted from the data center,” he said. “To realize the promise of cloud, CISOs need to think about the cloud differently. It’s not just another data center.”
Murray said once they take this mindset, the CISO, along with their development and operations peers, can work to standardize on a multi-cloud security operating model to satisfy advanced security needs, while addressing their business’ agility requirements.
“You must identify assets, protect workloads, detect malicious activity and vulnerabilities, enable incident response, and ensure that you can recover quickly,” he said. “CISOs should look at building a stack in the cloud that gives them this sort of defense in depth.”
Gavish advocates for taking a risk-based approach to securing all cloud-based technologies, noting it’s important to try to centralize security as often as possible, especially for critical infrastructure, applications and workloads.
“Nowadays the IT estate is very decentralized and complex,” he said. “Narrowing the scope of what truly requires additional layers of security is important.”
This includes focusing on a specific subset of the organization’s high-risk users, as well as the systems and applications, and corresponding data and files, that they have access to helps narrow the scope.
“Trying to implement both preventative controls and detective mechanisms that centrally enforce strong security throughout today’s complicated threat landscape should be built into any CISOs strategy,” he said.