From the Trenches: 4 Cloud Security Lessons from Aon’s Chief Security Officer Anthony Belfiore

This blog was originally published by Wiz here.

Written by Josh Dreyfuss, Wiz.

Cloud has driven innovation and agility for organizations, but for security teams it has also brought new levels of complexity around people, processes, and technology. Today’s elastic cloud environments have introduced new risks that security must develop approaches to address. Recently, CxO hosted a webinar and security executive roundtable titled “Take Control of your Cloud Infrastructure Security.” Security executives from across the world gathered to discuss their approaches to cloud security. Anthony Belfiore, Chief Security Officer at Aon, shared his approach to cloud infrastructure security. Here are some of the key takeaways from the discussion and the insights that Anthony shared.

#1: Complexity drives challenges around maintaining a strong cloud security posture

A common theme echoed throughout the discussion and Anthony’s experiences was one of complexity. Cloud environments are ever-increasing in their complexity, with new technologies and architectures rolled out continuously by a wide range of teams and owners, including third-party vendors. As a result, risks in the cloud are growing more complex every day. Security teams are stretched thin trying to get visibility into what’s out there and who owns what, and can’t afford to add more complexity to the mix themselves with complicated tools or agent-based deployments. This holds true when migrating from on-prem to the cloud, or dealing with multiple cloud environments.

“We were running a heavy on-prem, proprietary, legacy application environment and wanted to leverage cloud... One thing we realized very quickly, when you try to port legacy on-prem apps to the cloud: they don’t port very well... When you port these things, sometimes things are lost in translation. Certain controls are dropped. Certain configurations don’t map effectively. For me, how could I get a level of comfort and assurance that [these apps] are operating in the cloud according to the security requirements and criteria we defined?” -- Anthony Belfiore

Whether dealing with migration, compliance requirements, or keeping up with the pace of internal innovation, cloud security posture is becoming more and more challenging. CISOs are looking for ways to simplify their security and get the visibility into diverse and dynamic cloud environments wherever possible.

#2: Having a cloud validation capability is important

Zero trust should apply to everything in security, including your own architecture. This means security teams need to be able to validate their cloud environment holistically across platforms, technologies, and layers of risk. Security teams can’t blindly trust 3rd party providers, or even their own topology diagrams. They must be able to validate and verify what’s actually happening in production.

“We were trusting [our providers] implicitly, but it was a mistake. You’ve got to trust but validate; got to verify that everything is working in those clouds as it’s meant to. Whether dragging and dropping, or retrofitting legacy stuff, or building natively in cloud, you need a validation capability.” -- Anthony Belfiore

#3: Security teams need to spend their time on the most pressing issues

Security teams are outnumbered by DevOps dozens to one, and often face tens of thousands of alerts across their environment. They can’t afford to spend time on low priority alerts, or on chasing their DevOps partners to fix issues that have a low impact. They need to find ways to accurately prioritize issues, and should have a bias towards tools that bring quick time to value and enhanced security ROI.

“I have a finite amount of budget cycles and time. I have to allocate them to the most pressing issues...” -- Anthony Belfiore

Beyond time to value and security ROI, with limited security personnel and resources, cloud security teams are looking for ways to empower other security team members and DevOps partners. The more collaborative and accessible that you can make your security investigations and remediation, the more your team can handle.

#4: Agentless tools are the wave of the future

With the interconnectedness and complexity of cloud environments, security approaches that impact the environment are becoming increasingly untenable. Getting proper coverage with agents is difficult already, let alone the added costs in terms of complexity and resource utilization. There was general agreement among the CISOs on the discussion that less is more when it comes to security agents.

Authenticated scanning tools can be too intrusive and lead to negative impacts on cloud infrastructure as well. The right approach is one that is unobtrusive and has no impact on the cloud environment.

“… the way we used to do things on-prem with...any of these scanning VM platforms, that goes the way of the dodo.” --Anthony Belfiore

See the discussion for yourself

When it comes to the cloud, figuring out ways to tackle the most critical issues as a security team is a never-ending challenge. Increasing complexity, a need for more visibility and validation, and ruthless prioritization are all key areas of focus for security teams across companies of all sizes. The round table and stories from Anthony all served as good reminders of these facts. You can watch Anthony share his learnings and experiences yourself here.