Native Cloud Security Controls Still “Not Good Enough”
Security has slowly embraced adoption of the cloud, but cloud security native tools are still not good enough.
In a roundtable discussion on exploring the cybersecurity threats faced by CISOs in enterprise and hybrid cloud environments, the subject of cloud security was outlined with regards to what is being done well, and what is being done badly.
Dr Ronald Layton, vice-president of converged security operations at Sallie Mae, said, in government, the use of cloud is prominent as a business case, but in the private sector “it makes business sense” as it can be customized for specific needs.
Joe Sullivan, chief security officer of CloudFlare, said security teams are often “dragged along when business leaders look at cost and opportunity and ability to focus on priorities of business and user experience” when it comes the cloud. However, they do not look at infrastructure, and when security teams look at the cloud, they see risk.
“Go to any large security conference and talk to security leaders, and they will say they have not moved to the cloud as they are uncomfortable with cloud products and resistant to what their company is doing,” he said.
Sullivan added that he felt security had “come around in the last couple of years, but security teams need to get with the program and appreciate risks and be involved and not be dragged along.”
John Kindervag, field CTO for Palo Alto Networks, agreed, saying native cloud security was “never good enough” as it is based on the Linux Kernel. He said there is a common misunderstanding that we think we can secure the cloud by using in-cloud security.
Layton said, when it comes to cloud deployment, you have two options: step by step, or “big bang” where you go all in. “Either way, you need to follow the golden rules: secure your S3 buckets, use DLP, turn on multi-factor authentication, and use micro-segmentation and business process. It is all about getting this right, as right today and may not look like that in six months.”
Mary Gardner, vice-president and CISO at F5 Networks, argued that there is a need to think about automation when we move to the cloud, and to build controls in to prevent mistakes from happening in the first place. “Most breaches are human error, such as publishing a private key on a Github account and making it available, and the more automation we use the more we are ahead of curve,” she said.
Kindervag explained that if you work in IT or cybersecurity, technology “is there to be adopted.” He said technology is now in place that would have been very hard to roll out 20 years ago, as now you can “flip a switch as technology is automated and cloud-based.”
Layton commented that the move to using cloud services is “all about adaptation” and moving from point A to point B. “The complexity increased and you have got to be adaptive to these things,” he said.