While cloud security has certainly come a long way since the Wild West days of early cloud adoption, the reality is that there is a long way to go before most organizations today truly mature their cloud security practices. This costs organizations enormous costs in terms of security incidents.
Vanson Bourne study It showed earlier this year that nearly half of the breaches organizations experienced last year originated in the cloud. The same study found that the average organization lost nearly $4.1 million to cloud breaches last year.
Dark Reading recently sat down with the godfather of Zero Trust security, John Kindervag, to discuss the state of cloud security. When Kindervag was an analyst at Forrester Research, he helped conceptualize and publish the Zero Trust security model. He's now chief evangelist at Illumio, where amid his outreach he remains very much a proponent of zero trust, stating that it's a key way to redesign security in the cloud era. According to Kindervag, organizations must deal with the following difficult realities in order to achieve success.
1. You won't get more secure just by moving to the cloud
One of the biggest myths about the cloud is that it's inherently more secure than most on-premises environments, Kindervaag says.
“There's a fundamental misunderstanding of the cloud, that somehow there's more security built into it, and that you're more secure by moving to the cloud only by moving to the cloud,” he says.
The problem is that although large-scale cloud providers may be very good at protecting infrastructure, the control and responsibility they have over their customers' security posture is very limited.
“A lot of people think they're outsourcing security to the cloud provider,” Kindervag says. “They think they're transferring the risk.” “In cybersecurity, you can never transfer risk. If you're the custodian of that data, you're always the custodian of the data, no matter who holds it on your behalf.”
That's why Kindervag isn't a big fan of the oft-repeated phrase “Shared responsibility“, which makes it seem as if there is a 50-50 division of labor and effort. He prefers the phrase “Uneven handshake“, which was penned by James Staten, his former colleague at Forrester.
“The fundamental problem is that people think there is a model of shared responsibility, and there is an unequal handshake instead,” he says.
2. It is difficult to manage local security controls in a hybrid world
Meanwhile, let's talk about the improved cloud-native security controls that providers have built over the past decade. While many providers have done a good job of giving customers more control over workloads, identities, and visibility, this quality is inconsistent. As Kindervag says, “Some of them are good, some of them are not.” The real problem with all of these services is that they are difficult to manage in the real world, beyond the isolation of a single provider's environment.
“It takes a lot of people to do it, and they're different in each individual cloud. I think every company I've talked to in the last five years has had a multi-cloud model and a hybrid model, and they're both happening at the same time,” he says. “What's mixed is that I'm using clouds and on-premises things, I'm using multiple clouds, and I'm probably using multiple clouds to provide access to different microservices for one application.” The only way you can solve this problem is to have security control that can be managed across all multiple clouds.”
He says this is one of the big factors driving discussions about moving zero trust to the cloud.
“Zero trust works no matter where you put data or assets,” he says. “It can be in the cloud. It can be on-premises. It can be on the endpoint.”
3. The identity will not be saved to your cloud
With so much focus on cloud identity management and disproportionate attention to the identity component of Zero Trust, it is important for organizations to understand that identity is only part of a balanced Zero Trust breakfast in the cloud.
“A lot of the zero trust narrative is about identity, identity, identity,” says Kindervaag. “Identity is important, but we consume identity in politics with zero confidence. It is not the be-all and end-all, and it does not solve all problems.”
What Kindervag means is that with the Zero Trust model, credentials don't automatically give users access to anything under the sun within a particular cloud or network. The policy defines exactly what and when access to specific assets is granted. Kindervag has been a long-time proponent of segmentation — of networks, workloads, assets, and data — long before the Zero Trust model began to be drawn up. As he explains, the essence of defining Zero Trust access through policy is to break things down into “security surfaces,” since the risk level of different types of users accessing each security surface will determine which policies will be attached to any given credential.
“That's my job, is to get people to focus on what they need to protect, and put those important things into different sandboxes, like your PCI credit card database should be on its own sandbox. Your HR database should be “The HMI of your IoT system or your operational operating system should be in its own sandbox,” he says. “When we break the problem down into bite-sized pieces, we solve it part by part, and we solve it one by one.” The other. This makes it more scalable and implementable.”
4. Many companies don't know what they are trying to protect
When organizations decide how to segment their security surfaces in the cloud, they first need to clearly define what they are trying to protect. This is critical because each asset, system or process will carry its own unique risks, which will determine the policies on access and stress surrounding them. The joke is that you wouldn't build a million dollar vault to house a few hundred pennies. The cloud equivalent would therefore place a significant amount of protection around cloud assets that are isolated from sensitive systems and do not contain sensitive information.
It's all too common for organizations to not have a clear idea of what they're protecting in or out of the cloud, Kindervag says. In fact, most organizations today don't necessarily have a clear idea of what's in the cloud or connected to the cloud, let alone what needs to be protected. For example, Cloud security alliance study It shows that only 23% of organizations have complete visibility into cloud environments. An Illumio study conducted earlier this year shows that 46% of organizations do not have complete visibility into the connectivity of their cloud services.
“People don't think about what they're actually trying to achieve, or what they're trying to protect,” says Kindervaag. This is a fundamental problem that makes companies waste a lot of security money without setting up protection appropriately in the process.
“They'll come to me and say, 'Zero trust doesn't work,' and I'll ask, 'Well, what are you trying to protect?' And they'll say, 'I haven't thought of that yet,' and my answer is, 'Well, then, you're not even close to that.'” Starting the zero trust process,'He explains.
5. Cloud-native development incentives are unenforceable
DevOps and cloud-native development practices have been greatly improved by the speed, scalability, and flexibility that cloud platforms and tools provide them. When security is properly integrated into the mix, good things can happen. But Kindervaag says most development organizations aren't properly incentivized to make this happen — which means cloud infrastructure and all the applications that rely on it are at risk in the process.
“I like to say that DevOps people are the Ricky Bobby of IT,” Kindervag says. “They just want to get up to speed.” “I remember talking to the head of development at one of the companies that eventually got hacked, and I was asking him what he was doing in terms of security. And he said, ‘Nothing, I don’t care about security.’ I asked, ‘How come you don’t care about security?’ And he says, ‘Because I don’t have KPI So, my KPI says I have to do five pushes a day on my team, and if I don’t do that, I don’t get a bonus.”
This is an example of one of the big problems, not just in AppSec, but also in the move to zero trust in and out of the cloud, Kindervag says. Many organizations simply do not have the right incentive structures to make this happen – and in fact, many have perverse incentives that end up encouraging unsafe practices.
That's why he advocates building zero-trust centers of excellence within organizations that include not only technologists, but also business leadership in planning, design, and ongoing decision-making processes. When these cross-functional teams come together, he says, he sees “incentive structures change in real time” when a powerful business executive steps forward to say the organization will move in that direction.
“The most successful zero-trust initiatives are those that involve business leaders,” says Kindervaag. “I had one at a manufacturing company where the executive vice president—one of the company's senior leaders—became a champion of the shift to zero trust in the manufacturing environment. It went very smoothly because there were no disincentives.”
