Underground or in the Cloud: The Reality of Risk
Wipro and AWS had a great interaction over a two-day round table from September 13 to 15, 2021, with senior security leadership across various industry verticals. This was followed by a panel discussion on day three at the GDS Security Summit titled – ‘Building a Positive Security Culture Around the Business’.
This article summarizes the discussions and the key learnings from the recently concluded roundtable.
Risk is omnipresent and uncontrollable
Risk, by its very definition, is deemed uncontrollable; and the need to invest in security is an absolute realization across the board. With new threats emerging constantly, responding to them is becoming costly and time consuming.
The roundtable focused on best practices around:
- Emerging and new threats and how can they damage the business
- Tools and technologies emerging to combat new threats
- The right approach – reactive or proactive
- Various strategies to improve the stance of the organization’s security
Business imperatives and challenges
The key imperatives discussed at the roundtable included:
- The board needs to be more interested and involved in cyber and cloud governance. Organizations are forced to find modern ways to secure their cloud environment.
- There is always a tradeoff between selection of native and third-party security controls in case of cloud. How to balance security and ROI leveraging combination of cloud native and third-party solutions?
- How do I provide assurance to my internal customers (LOBs) on security and compliance adherence of different business applications hosted on the cloud platform?
- How to identity fatigue and issues around entitlements?
- Is Zero Trust a myth or reality – Is this an aspirational journey or something else?
- Cybersecurity is an area of niche skills, with cloud security elevating it to another level. How do I handle the challenges of lack of staff with the skills to manage security of cloud?
Observations and recommendations
- Board buy-in and support: Company boards have started taking interest in security matters more than ever before. The conversations between the board and security teams have evolved, with the board being more aware and cognizant of serious implications on security. There should be constructive dialogue and cadence between the board and CISO / security group to review security risk posture of the organization and security should become part of board.
- Better return on investment (ROI) while being secure: Organizations often need to pick a combination of hyperscaler provided native security services and third-party solutions. There is a need for a “multi-cloud security controls framework” and careful selection of hyperscaler native and third-party security controls to ensure that the requisite level of security is aligned to the technical requirements, to achieve better ROI. It is also recommended for organizations to identify and enforce uniform / common security controls across your multi or hybrid cloud environment.
- Security risk posture visibility for lines of business (LOBs): Providing the right set of visibility of security risk posture for various business applications running in the cloud is one of the key KPIs of the IT or security organization. It is recommended for organizations to look for capabilities, frameworks or solutions that continuously monitor the cloud environment from a security perspective. It should be able to provide continuous risk and compliance adherence view of business applications through a single pane of glass with easy visibility to the LOBs.
- Identity and entitlement issues: Cloud based digital identities can scale up quickly. The entitlements and permissions can become complicated while figuring out who has access to which data across the cloud platforms. This may result in high-risk and over permissioned identities creating intentional or unintentional damage in your environment. It is recommended to apply the principle of least privileges and adopt a CIEM (Cloud Infrastructure Entitlement Management) framework to get visibility into over provisioned and inactive identities, cross account access and other related aspects.
- Zero Trust – Next wave to ride on: While no security is foolproof and data breaches will probably never be eliminated, Zero Trust helps reduce the attack surface to minimize the cost and time spent on responding to data breaches. It works on the principle of ‘trust no one and verify everyone’. It aims to bring tighter security for users, devices, and connections – every time. Depending on the maturity of the organization, it is recommended to start exploring how Zero Trust helps in meeting technical requirements and provides assurance to security initiatives. Keep in mind that Zero Trust is a continuous process!
- Cloud security skill challenges: Cloud security skill shortage is a key pain point for IT security and hiring teams and is likely to escalate in the future. Cloud security skills are hard to find and often come with a premium. One of the ways to overcome this challenge is to adopt automation! There are multiple ways in which automation can be achieved in cloud. This could include building MVP (Minimum Viable Product) in an automated fashion leveraging Infrastructure As a Code (IaC) and hyperscaler provided automation capabilities, embedding automated security in DevOps lifecycle and most importantly building the right set of playbooks to identify and detect potential security issues or incidents and reconfigure your cloud environment leveraging APIs.
The way forward for cloud security
Security needs to be an enabler to the business rather than a hindrance. Organizations need to understand the tradeoff between a proactive and reactive approach and have a combination of both while defining their strategy for cloud security. Embrace a shift left approach to make sure applications are developed and managed in a secured fashion in the cloud. Look at applying a combination of some of the recommendations to make your cloud journey secure and build a culture of frictionless security in the cloud.