Discussing strategies for how to achieve full lifecycle cloud security at the Cloud Security Alliance European Virtual Summit, Chris Hertz, VP, and Jeremy Snyder, senior director at DivvyCloud by Rapid7, said the challenge is not just about adopting cloud services, as you cannot just secure it once as these platforms are always changing.
Snyder said he often sees “a lot of great ideas and a lot of great energy and enthusiasm for adopting cloud technology” but the reality for organizations is that they can be faced with “not getting everything that they want out of their cloud journeys.”
In particular, developers want to embrace services being created by Infrastructure-as-a-Service (IaaS) providers “as it helps them get their jobs done more efficiently and more quickly,” but the pace of change from cloud providers accelerates every year.
Hertz said that cloud services are constantly changing and IaaS providers are always evolving services and the outcomes are unpredictable, as in 2018 there were 81 major breaches down to cloud misconfigurations, and 150 in 2019.
“By our calculation, in our 2020 Misconfiguration Report, we estimate that $5trn in damages have resulted in cloud misconfigurations in 2018 and 2019, so the security achievement gap is real and it is having real impact,” Hertz said.
This means that developers are core to security in a way that they were not before, and the speakers said that is there is misalignment in the way in which security operates today. In particular, if a developer needs to get a task done, they will need to make changes to an access list and to authentication methods to do that.
Snyder added: “That is where some of the ignoring of the circumvention of security comes into place, it is not that people are malicious in anyway, but they have tasks to accomplish in new ways, and that falls into the hands of the developers.” Hertz argued that is why security has not shifted in its approach to the cloud, as security works in the world of the data center with a centralized infrastructure.
“In this new world of self service, we have democratized access but not democratized security, and you have a misalignment,” Hertz said. “Security tries to apply principles that applied in a data center world, but in the cloud security world, it doesn’t work.”
This can lead to security putting blocks in place, or a “rock in the river” as the speakers said, as, whilst developers do not act maliciously, with restrictions in place they cannot get their jobs done. “There is huge friction as security tries to operate as a data center, but eventually the water flows around the rock in the river, and instead you should move from the command and control world to a ‘trust but verify’ and ‘enable but amplify’ model,” Hertz said.
“That is why we are seeing these challenges, as culturally and organizationally, companies are not overcoming this.”