In this interview with Help Net Security, Amiram Shashar, CEO of Upwind, discusses the complexities of cloud security in hybrid and multi-cloud environments. It demonstrates the need for deep configuration visibility and real-time insights to balance speed and security.
Shachar also shares strategies for addressing misconfigurations and ensuring compliance, and recommending a proactive approach to managing risk in cloud deployments.
As hybrid and multi-cloud setups become the norm, cloud environments are becoming more complex. How can organizations balance the need for flexibility while maintaining strong security across these platforms?
An effective security program should enable organizational resilience. Organizations managing hybrid environments need the confidence to move quickly without compromising the safety and security of their customers. To achieve this, security teams need deep visibility into the configurations, behaviors, and context of their infrastructure (cloud or on-premises), workloads, and applications.
When organizations have this visibility across all layers, understanding actual risks becomes much easier, and allows teams to stay focused. In the context of real risks, developers can move more freely, knowing that the right guardrails, controls, and visibility are in place to stay protected and catch real threats rather than blocking them at every turn.
This depth of information is best achieved by combining real-time and runtime insights with static, configuration-based analysis of the environment. Leveraging runtime insights for security turns it into a seamless part of the development process, allowing security and DevOps teams to work together more seamlessly. Instead of slowing down innovation, security becomes a natural part of the workflow, enabling faster growth and better collaboration without sacrificing protection.
Misconfigurations and lack of visibility are two of the biggest challenges to cloud security. What strategies do you recommend to address these issues?
Solving the visibility problem first makes it easier to solve the misconfiguration problem. The emergence of the cloud has introduced hundreds of new services, representing thousands of unique configurations that developers use freely within organizations. This has led to security teams fighting a losing battle of trying to secure configurations and educate developers, many times in areas that pose no risk to the business.
Addressing visibility first enables security teams to understand true risks and fix misconfigurations across the organization much faster. For example, we encounter many teams facing the same misconfiguration across hundreds of assets owned by thousands of developers. Without proper visibility into asset behavior, organizations have to review each team individually, explain the risks, check if their workload is indeed using the wrong configuration, and then configure it accordingly – essentially an impossible task.
With runtime insights, security teams instantly understand which assets are using misconfigurations, which developers own them, and all the relevant risk context surrounding them. This takes what could be a 6-month project involving the entire R&D organization into a simple task completed in a day and involving just a few individuals.
What are some key considerations when working with third-party cloud providers to ensure they meet an organization's security standards, and how can organizations mitigate the risks associated with shared responsibility models?
When choosing a cloud service provider (CSP), it is important to deeply understand their specific shared liability model to ensure your organization is prepared for the liability associated with their aspect of cloud security. Once responsibilities are clearly defined, a customer can create a plan to secure their data, applications, and infrastructure.
Each CSP has a different liability model, meaning different key areas the CSP is guaranteed to cover, versus what the customer is responsible for. However, despite these different models, Gartner has consistently predicted that by 2025, 99% of cloud security failures will be the result of customer error – and this applies to telecom providers.
With this in mind, organizations must realize that the vast majority of cloud security failures are likely to be on their part, and they must effectively mitigate these risks by using robust cloud security tools and practices to ensure the security of their environment. When selecting a tool, customers should prioritize solutions that include runtime monitoring, that effectively protect against threats in production environments, and prioritize risk outcomes based on real environmental risks. This enables teams to focus efforts on fixing the most critical risks, ensuring they proactively mitigate risks associated with their side of the shared responsibility model.
As cloud adoption increases, regulatory and legal compliance becomes more complex. What are the most significant compliance challenges organizations face in the cloud, and how can they best navigate these complexities to avoid penalties or violations?
One of the most important challenges organizations face is maintaining consistent compliance across different cloud environments, especially when these environments are highly dynamic and deployed by multiple stakeholders who do not necessarily have the appropriate expertise in the field. The solution lies in a dual approach.
First, educate relevant stakeholders, and provide frameworks and best practices for deploying design-compliant workloads. Then, gain continuous visibility and the ability to validate compliance at runtime by discovering sensitive data, network flows, and workload configurations. Finally, ensure that any non-compliant workloads are quickly remedied within required organizational SLAs.
How can CIOs and IT managers balance business innovation, agility, and the need to implement cloud security measures, especially in fast-moving cloud deployments?
Balancing business innovation with the need for robust cloud security is one of the top priorities for CIOs and IT managers. In fast-moving cloud deployments, where speed is critical, security must have a deep understanding of risk. Asking developers to fix every problematic or misconfigured package is a futile effort for most organizations which slows them down significantly.
The best way to achieve this is to bring runtime context back into development decisions, and understand that the same vulnerability in a sandbox is less significant than one running in a production workload exposed to the Internet containing sensitive data.
By integrating security measures from runtime to developers, organizations can ensure they are dynamically securing their cloud infrastructure, without interrupting business operations or hindering innovation. This allows security teams to detect and respond to threats in real-time, giving them the ability to balance protection with the need for speed. Automation also plays an important role here, because it enables teams to maintain security at scale, no matter how quickly the environment evolves.
