Chief Innovation Officer at Orca Security.
As cloud computing has evolved and expanded, the cloud security industry has focused on a series of key issues, each taking turns at the top of the priority pile. Misconfiguration risks have given way to identity and access management (IAM) issues, which have given way to securing Kubernetes containers, and finally to API security. The industry is constantly identifying new types of security issues, deeming them the most important until the next “hot topic” in security comes along and takes their place, often before the industry has figured out an effective way to fix the first one.
However, there is a persistent problem that many organizations are neglecting the basics of security. Recent research by Orca Security has uncovered alarming omissions among organizations operating in the cloud, from high rates of neglected assets and compromised data to weak identity and access management controls and exposed API servers in Kubernetes.
Each instance of a basic security problem, such as an unpatched server or a serious vulnerability in an application, may seem easy to fix individually. But in a multi-layered cloud organization with multiple stakeholders—many of whom may lack security expertise—these issues can snowball into larger problems that pile up without resolution.
Innovators in the cloud security industry may feel frustrated by this trend, wondering why they should continue to develop new tools and solutions if they don’t seem to be used. But the reality is that the cloud security industry needs to emphasize a pragmatic approach. It’s not about too many problems, but too few solutions.
It doesn't come with alerts, it comes with fixes.
The issues facing cloud infrastructure are real, of course, whether they are misconfigurations, vulnerabilities, data issues, or other problems. The industry needs to address these issues, and innovative tools and solutions that identify problem areas are valuable. But organizations don’t need thousands of additional alerts—they need help mitigating them. In fact, I can confidently say that I have never met a security leader who told me they didn’t have enough alerts to fix.
As security providers, we need to look at these issues in context. Prioritization shouldn’t be based on the severity of a CVE in an application, for example, but rather on where that application is in the stack and how critical it is to business production. We need to simplify the remediation process. This will reduce the number of issues that are prioritized for the practitioner to fix. But that’s often not enough.
The goal should be to reduce those issues that need to be prioritized along with the amount of work required by practitioners to fix them. Risk logging should be a byproduct of this, with them prioritized as much as possible in the context of the work to reduce the number of fixes. In short: don’t come with alerts – come with fixes and make those fixes easier to implement.
Leveraging the capabilities of AI while recognizing its limitations is an important part of a practical approach to cloud security. Consider a self-driving car powered by AI. It doesn’t actually drive itself. It needs a human to supervise it, tell it where to go, and be ready to take over when necessary. But AI is essential to its operation, and its capabilities greatly reduce the workload for the human driver. We need to take the same approach to cloud security.
One way AI can help is by connecting production to enterprise developers. In many organizations, security engineers spend a significant portion of their time identifying the source of an issue in production and then finding the person responsible for fixing it. When that percentage is doubled in a cloud environment, identifying all of these issues can become a daunting task. Organizations have reported taking weeks to find all of the items that need fixing.
AI’s ability to quickly collect and analyze massive amounts of data can speed up this process as it begins to address many problems. This can significantly reduce the work of developers, allowing them to focus on more strategic projects.
Cloud Security Basics
The vastness and complexity of multi-cloud infrastructure creates an environment rife with vulnerabilities, configuration flaws, and, as our research shows, neglect of basic security. Identifying vulnerabilities and areas that need to be addressed is important, but organizations need more than just alerts. The cloud security industry must recognize that organizations need hands-on help to resolve issues as quickly and easily as possible.
We need:
• Prioritize security alerts within the business context.
• Focus on providing solutions, in addition to identifying problems.
The same tools, like AI, that are used to help identify and define problems can also be used to help provide solutions. Some problems can be fixed automatically. For others, security providers can reduce the amount of work needed to fix them. We can provide all the necessary data, identify who needs to be involved, and set up the first steps to take toward fixing the problem.
By taking this approach, cloud security providers can effectively reduce the need for manual work, reduce the overall number of security issues, and ultimately make them easier to fix. In the process, we can help improve the state of cloud security.
The Forbes Technology Council is an invitation-only community for world-class CIOs and technology executives. Am I eligible?
