A few days ago, I had the privilege of attending a boardroom discussion of CISOs at the virtual Chicago CISO Summit on the topic of Rethinking Security and Governance in the Public Cloud. The boardroom discussions are great since they serve as an opportunity to benchmark various CISO topics, and to discover cloud security challenges enterprise organizations are facing.
It's clear from our discussion that the ways in which we build technology value have changed drastically. Shifts from monolithic software to microservices, waterfall development to agile, IT to DevOps, and data centers to cloud form the foundation of the digital disruption revolution executives are leading. And, in the past 12 months, executives have ramped cloud faster than anyone ever expected.
With this rapid evolution, it is clear that enterprises must re-invent how they govern and secure in this “new world” where identities are the new perimeter. The old control points of IT, firewalls, and endpoints are simply outdated and ineffective in the new world of cloud development. Today, Cloud Service Providers, like AWS, Azure, and Google Cloud, look after the infrastructure and for enterprises, the new control points now center around identity, data, and the workload itself.
This transformation was top of mind in our session that was attended by twelve CISOs from public and private companies from a variety of industry verticals including Finance, Insurance, Retail, and more. In our group, all CISOs expressed some challenges with the complexity of the public cloud, rapid changes of the past twelve months, and blind spots in cloud security. For larger or more security-mature organizations, the complexities included a lack of integration between multiple departments including, DevOps, audit teams, security, and operations.
For many years, defense in depth was dominated by network controls. Traditional network security controls remain an essential component of public cloud security, but they aren't sufficient. AWS, Azure, GCP, and others offer a rich service portfolio that exposes pubic HTTPS endpoints by default. IAM controls are the primary method of protection. However, not all of these services allow IP-based access control list (ACL) rules. Additionally, IP-based ACLs are coarse and inflexible controls for modern microservice-based cloud applications. The foundation of information security is in the public cloud focuses on identity-based security that controls access to cloud-based resources and data. Security professionals recognize that "identity is the new perimeter” for securing data in public clouds, and consequently, proper identity security is crucial to managing access-related errors. At Sonrai security we offer updated webinars to guide you on this journey of cloud security. Public cloud IAM models introduce many identity-to-data trust relationship configuration options that, although powerful, can come with risk. For example, poorly used access IAM controls leave significant attack vectors to sensitive data.
Many CISOs in our group believe the highest identity risk lies with "entitlements," not users or identities alone. The ability to delegate roles can become quite problematic in a public cloud because they are often a hidden risk. Management controls must be adapted to address concerns around privilege delegation to a service or function. Compute, containers, and serverless functions can assume a role that can be configured with permission to perform specific tasks and access certain data.
Granting an assumed role to a service can be your friend when your public cloud is architected correctly by a knowledgeable IT security and cloud team. It eliminates the unfortunate programming habit of storing service account credentials in configuration files or worse in the code. However, the delegation of a dominant role to a service must be fit for purpose with a focus on least privilege. Without this focus, you open your organization to risk.
Our group’s CISOs are seeing privacy become a real hot button topic with board members with the advent of GDPR and similar regulations. They are beginning to see asks from the board to be educated on these topics and informed about the state of “privacy compliance” of the organization. Many of our group’s members see this has a huge challenge as many cannot effectively answer “where is my data?”, “who can access my data?” and “when has it been accessed?” They foresee many difficult discussions that will wrestle with questions like: “who and what exactly do we do with our customers’ data” while “not stopping the business” or increasing risk.
Cloud complexities will continue to grow. The widespread adoption of cloud-native computing, micro-service-based architectures, containers, and serverless has led to an explosion in the number of ways that people and non-people identities can access sensitive data in public clouds. While this leads to incredible innovation, if ungoverned, it leads to a boatload of risk. Many CISOs must address the need for modern cloud-native organizations to find and prevent vulnerabilities tied to interrelationships between identity (people and non-people) and data.
Finding and eliminating complex identity and data access risks, in a way that aligns with how applications are developed today is a big challenge for security teams. Many CISOs struggle with operational workflow and remediation which prevent them from integrating seamlessly to eliminate risk in complex environments. Early cloud security systems have focused on simpler cloud network setups and sent too many alarms to the wrong teams. The CISO teams think that a new cloud security model needs to be heavily focused on identity and data.
Some CISOs felt very strongly that this was their very frustrating) Achilles heel. There is still significant work to be done, particularly in the areas of including security in the CI/CD pipeline sooner. Although there is an industry-wide push to shift left, greater clarity is needed on how teams’ daily responsibilities are changing, because it impacts the entire organization’s security proficiency.
Building on the success of this boardroom session, we’re looking forward to ongoing, productive conversations that have focused on key data security issues including compliance, data governance, identities, and more. With this evolution underway, it is clear that leaders are reinventing how they govern and secure in this “new world” and we are here to help.