An Unfortunate Truth: Your Cloud Security Team is Not Ready
I'm going to come right out and say it. Your cloud environment is not secure. Career-wise, this may be a risky subject for me to bring up in public, but I think it is time we all came to terms with it. This hard truth has come from a 20-year career of working with many fantastic Fortune 500 companies as a software developer, DevOps engineer, security architect, and engineering technical-lead. You may have a great security team, and you may have a great cloud enablement team, but they are not prepared to properly secure their cloud in the era of distributed Infrastructure-as-Code deployments. This is a bold statement, but I can back it up after spending last decade assessing and trying to secure cloud environments for Fortune 50 clients, cloud providers as a third-party auditor, and working for various consulting groups such as Deloitte.
I have been on the ground floor of security; working with management teams, CISOs, and frustrated and shackled security engineers to try to overcome major cloud security hurdles. The truth is that no one has cloud security figured out, and most organizations are not even remotely ready to tackle the huge security risk that is their enterprise-level cloud environment. This sounds pretty alarmist, but it is a reality that we all need to come to terms with. In this article I want to try to give you a good 10,000-foot overview, and hopefully you will see not only the problem, but the solution by the end.
Security is undergoing a massive shift as organizations move their workloads over to the cloud. One of the biggest challenges that security teams have is the removal of organizational silos for the different domains they work with. In traditional on-premises or co-located environments, Identity, VM infrastructure, and networking security standards are generally managed and enforced through respective teams. This has provided security with a single point of contact for each security domain. Now however, cloud environments are distributed with VMs, networks, services, and other infrastructure deployed and decommissioned by individual developers and business units.
This decentralization of responsibilities is cause for an amount of concern for security executives as it creates an unmanageable amount of coordination between security teams and a multitude of developer teams. Traditional IT teams have lost control over their security process as infrastructure already has been “Shifted to the Left” to developers through Infrastructure-as-Code deployments. A new paradigm of security management has begun to emerge through this in the past couple of years, and you have probably heard about it in various forms. SecOps, DevSecOps, and a combination of both are being adopted throughout the industry as you read this.
None of these methodologies work yet because real modern-day distributed cloud-security challenges have not yet been properly recognized in the industry. Every organization has smart engineers on the ground, but they are overloaded with too many organizational units and challenges to effectively integrate these solutions into their cloud environments. The hard truth is that if you are a CISO, you need to know that your team isn’t ready for this, nor are they equipped to handle it. It is all well and good to have security requirements at the Development level, but how do you enforce them? Your security team probably put in a lot of effort coming up with cloud security controls, but there is a vanishing chance that they have any way to make them a reality.
The challenges and questions that come up in doing so are almost overwhelming. How are security requirements enforced across environments spanning multiple cloud providers? How is access to these platforms and environments restricted in a way that does not slow down the development lifecycle? How can the security team reduce exceptions and enable teams to deploy infrastructure and services in a way that is guaranteed to satisfy their controls?
The answers to these questions come through a thoughtful and enterprise-wide application of tools and processes. Multi-cloud environments need multi-cloud tools that are flexible enough for developers to use, but rigid enough to give security back the control they need. These tools include DevOps pipelines, multi-cloud Identity Access Management, IT Service Management, deployment orchestrators such as Terraform, and the integration and automation of security event detection and response through SIEM and SOAR tools. Above all, your team needs to have the courage to enforce security guardrails, and be ready to deal with pushback from all over your organization.
Only when these tools are established and adopted across the organization can security protocols be reliably enforced. Security configuration of cloud services can be templatized and pushed at the deployment level through the orchestrator. Networking and routing controls can be put in place through service requests. Identity controls can be established using the principle of least privilege through pipeline deployments. Security events can be immediately detected and resolved through automated response playbooks.
What is exciting about this all is that we are truly on the cusp of a new era where security is becoming both easier and more transparent to enforce without causing any organizational friction to do so. When done right, your cloud workloads will be secure, monitored, and automatically protected from malicious attackers or integrated into response ticketing systems. Most likely, you aren’t there yet, and to get there your organization needs to dramatically rethink the way it does security.