Evolving Security to Meet the Challenges of the Cloud, Part 1

Written by Raul Neagoe, Senior Cyber Security Product Manager, NTT DATA.

The widespread move to the cloud has forced organizations to restructure themselves to be more flexible, scalable, and adaptable in a variety of ways. However, these advancements have posed new challenges to cyber security experts. Cloud security requires a different approach to managing risk and designing security controls because it is a shared responsibility model and cloud service providers are constantly releasing new features and services. The industry has had to redefine what it means to build a strong security posture.

The challenges of the cloud are new, and the solutions are as well: but the structure of those solutions is familiar to anyone who’s been in the cybersecurity industry for any length of time. There is no single technology or process that will solve today’s problems, but rather it’s the time-tested combination of people, process, and technology.

What Does Good Look Like?

Hackers defeating complex security isn’t the biggest enterprise risk: misconfigurations and improper setups remain the largest contributors of cloud data breaches. The Capital One breach, for example, was primarily due to misconfigurations and excessive permissions. Accenture, Nice Systems, Cognyte, and scores of others have dealt with breaches that were costly and embarrassing—but avoidable.

And it’s not simply initial misconfigurations that are the problem: configuration drift is a major issue as well. “Configuration drift is usually down to changes made in production workloads without proper consideration given to security.” Says Ronald Prasad, Cloud Security Consulting Director for NTT DATA. “Businesses are usually mostly focused on enabling their critical use cases. Modern businesses react quickly: they’re flexible and adaptive. This means deploying new features and software in the cloud environment as quickly as possible to maintain their edge. Security can at times become a secondary consideration. Ultimately this is about the balance between innovation and security. The risk is we move so slowly we stifle innovation, or we move so quickly and don’t effectively mitigate risk.”

In the wake of such challenges, there has been a race to develop a set of best practices that can account for such egregious oversights. the stable security perimeter of legacy institutions is being replaced by an amorphous multi-cloud environment subject to constant change. Attempts to extend traditional approaches to security have simply caused an increase in complexity and lack of visibility. How then, do we proceed?

Process: Shift Left and Continually Improve

As with every other enterprise-level system connected to the internet, cloud instances must be built with security in mind. Rushing to set up an enterprise cloud, and planning on going back to build in the security later is to plan for failure. Retroactive security measures are never as effective, and organizational friction often slows or prevents their implementation at all.

All of the major cloud providers provide very robust best practices and implementation guides and wizards to help set things up correctly. In the race for cloud adoption, sometimes implementations are rushed to meet business objectives: but this is not a corner that can be cut safely. It’s critical that cloud architects and security teams take the time to set things up with security in mind from day one–and keep it in mind as they move forward.

Software companies will be well aware of the CI/CD pipeline–continuous improvement and continuous development. The CI/CD pipeline enables developers to build, test, and incorporate changes to code more frequently, producing better quality code that can be deployed automatically.

This, however, only works if the software/service architecture is built in a way that supports iterative releases, and makes it critical that precautions are taken during the initial stages of the software development process. Infrastructure as Code (IaC) is a prime example. IaC is designed to make cloud provisioning simpler, faster, and predictable. However, if security is not applied at the IaC layer, misconfigurations are practically unavoidable.

And this can all be foreign territory for organizations outside the software development industry–but it’s critical to building robust cloud security. That leads us to the second pillar: the people, found in part two.

This is the first in a two-part series.

About the Author

Raul Neagoe is a Senior Cyber Security Product Manager coordinating Cloud and Application security services product offerings at NTT Data Services.

Prior to that, Raul has served as an Information Security Manager for Private Cloud and Dynamic Work Place where he was responsible for the end-to-end Cybersecurity Program.

Raul has more than 15 years of experience in cybersecurity and a proven track record of success in design, delivery and management, of cybersecurity solutions and services across multiple industry sectors.

He's deeply passionate about technology especially cloud, security automation, and AI. In his spare time, he teaches as a guest professor of Incident Management and Cloud security at a Romanian university that's focused on empowering the new generation of cybersecurity specialists.