Cloud services now play a central role in the digital operation of modern enterprises. But security teams are often being left out in the cold, increasing the level of risk an organisation is facing. Gidi Cohen, CEO and Founder, Skybox Security, tells us how CISOs can be part of the conversation on securely adopting cloud services – without being a barrier to innovation.
The desire for cloud services has reached a fever pitch. It’s estimated that the public cloud service market will be worth US$206 billion by the end of this year, with 83% of all enterprise workloads set to be hosted in the cloud by 2020.
At the same time, the cloud technology stack is becoming increasingly complicated: organisations aren’t just investing in cloud infrastructure but also taking advantage of cloud-native technologies such as containers, orchestration tools and serverless architectures to help them to further improve efficiency and decrease costs.
In the face of such great upheaval, it would make sense for security to take a central role in all strategic discussions. In many cases, however, this simply isn’t happening. Instead of being seen as a stabilising force that can help businesses to realise the benefits of their cloud projects, the perception of security has been that it’s a barrier to change.
Because of this, the CISO has too often been left out of the conversation. Only in the last year or so has there been a marked shift of enterprises bringing cloud back under the purview of the CISO; but it certainly hasn’t happened across the board.
For CISOs looking to ensure security plays a central role in new cloud initiatives or those already underway, they need to know how and where security should underpin these projects without slowing down innovation.
Why businesses leave the CISO out of cloud projects
The CISO was first bypassed when enterprises started looking to the cloud to enable flexibility, cost savings and a rapid implementation of business initiatives.
Unable to keep pace with the hyper-speed needs innate to cloud transformation, the CISO earned the undesirable reputation as the naysayer: “No, it’s not possible to securely deliver a new cloud service within such a tight timeframe. No, we’re not able to guarantee that this service has the desired levels of security without undergoing a significant testing period. No, we cannot recommend investing so aggressively in innovation at the expense of security.”
These roadblocks are at odds with the modern enterprise’s hunger for rapid innovation that cuts costs and aids their competitive edge. And as leadership teams have moved to embrace a cloud-first mindset, the split between operations and security teams has become more severe.
Businesses are regularly spinning up new workloads and have, in some ways, lost patience with their security leaders. It’s easier to leave the CISO out of the picture until the last minute – in their mind, doing so helps them to get the project across the line. They’ve ended up adopting an ‘act first, worry later’ mindset – a cavalier approach that leaves them exposed to great risk.
CISOs need to earn their seat at the table. They need to demonstrate that security is needed to enable these business initiatives; to educate their organisation’s strategic leaders about where the real insecurities exist within cloud projects; and, crucially, to reframe how their department is perceived within the business, so that they’re never again seen as the obstacle to innovation.
Where insecurities exist within the cloud
The devil’s in the details when it comes to cloud: if workloads aren’t properly configured or protected, any number of new risks could be introduced to an organisation.
Configuration in the cloud often requires complex and specialised knowledge and training. So, it’s highly likely that an individual lacking the requisite skills or knowledge could configure something incorrectly – or just have a false sense of security when weak security controls are implemented. These mistakes can result in cloud deployments being vulnerable to data breaches and may also lead to lapses in compliance if customer data is left exposed or the borders of the regulating sovereign have been crossed.
Additionally, many organisations fail to test cloud implementations as robustly as they would on-prem deployments. Again, this is frequently the case when security has been cut out of cloud strategies. Security teams must be involved in the practices and processes that will test the security of cloud development and have proper oversight of their organisation’s cloud services. These processes need to be incorporated in the overall security programme and not treated as a separate silo.
While the mechanisms for cloud security differ from that of traditional IT products, the goals of risk reduction and continuous compliance are the same. It’s up to the CISO and their team to understand how to translate and implement risk reduction and compliance requirements in the cloud.
To minimise risk and maintain continuous compliance throughout the hybrid network, a unified approach is key. That’s why it’s crucial for the CISO to be involved in all cloud transformation activities from the planning stages, to implementation and ongoing management, working closely with the CIO and DevSecOps team.
Defining the CISO’s role in the age of DevSecOps
As cloud projects and other Digital Transformation initiatives have gained momentum, we’ve seen the development of more DevSecOps (development, security and operations) teams. The aim of the team is to integrate security practices within the DevOps process.
In theory, the way that these teams are structured should lead to security being considered throughout the life cycle of the cloud project. In practice, though, it can turn security into a simple checkbox exercise that fails to address the complexities of the cloud.
The way that DevOps is developing and rolling out new applications makes sense for the function. Faced with great pressure to deliver services quickly, they’re embracing ‘shift left’ methodologies so that they can find and prevent software flaws earlier in the process. Doing so prevents them from having to unpick any potential mistakes that they may discover further down the line.
This linear way of working makes sense for a team which is measured on ensuring stability and fast deployments. But it doesn’t make sense for the traditional definition of security, as infosec teams understand it – security isn’t linear in that sense. It shouldn’t be seen as a single step that needs to be taken during the implementation of a cloud service but, rather, as something that needs to be embedded at every stage of the initiative in order to reduce risk and ensure success.
The genesis of DevSecOps teams shows that organisations are aware of the need for security checks. But it also exposes a lack of understanding about just how pervasive security needs to be in the cloud era. It falls on the CISO to communicate this need and, in turn, to help reshape the role of security within still nascent DevSecOps teams.
How to improve cloud security and ensure that the CISO has a voice
The most important thing that the CISO can do to improve cloud security is to make sure that they have a voice in these initiatives and that it’s heard – which is easier said than done.
First, expand the visibility and insight to the cloud environment. Public cloud environments should be considered an integral part of the attack surface the CISO needs to secure. This doesn’t mean wrestling the controls away from IT teams.
API connections and offline models can give security teams the needed oversight of cloud services without interfering in their operation. The abstraction of the hybrid network topology, security control mechanisms, assets, vulnerabilities and threats can help bring the security team to the new frontier and to deploy their security expertise in a timely manner.
Second, partner with the cloud operations teams to extend and adapt the traditional security management processes around risk reduction and compliance to the cloud. In order to become a true partner to operations, the security team needs to work at the speed of DevOps and provide the means to ensure that during design, development, deployment and operation, the workload is properly secured and compliant with the relevant regulations. Analytics and automation are key buzzwords that security teams need to remember to be able to keep up.
Third, get ahead of the curve. There are more disruptive cloud technologies to come and some may already be used in the organisation’s playground. Use the opportunity to catapult your team to the forefront of innovation.
If the CISO is able to demonstrate the importance of such activities, they will be able to enact real change within their organisation and gain solid footing for future cloud and Digital Transformation projects. It’s high time that organisations acknowledged the significant role that security should play in delivering innovation – but it’s up to the CISO to get them to see the light.