Two Truths and a Lie About Cloud Security

This blog was originally published by JupiterOne here.

Written by Ashleigh Lee, JupiterOne.

Cloud technology saved many businesses from catastrophe during this past year, but it’s also introduced additional challenges to security, compliance, and governance practices.

The pandemic, with the stay-at-home orders, hastened the destruction of a “perimeter” and forced organizations to reframe how the business could run effectively while still protecting its cyber assets - infrastructure systems, physical endpoints, intellectual property, etc. This forced more digital transformation and brought to light two truths and a lie about cloud security.

Truth #1: The cloud security skills gap is real.

To keep up with industry trends, it only makes sense that the number one skill cited as a focus for cybersecurity professionals is cloud security. And while cloud is not new, securing the cloud continues to be a challenge.

The cybersecurity skill gap is something that’s been talked about for nearly the last decade. With the move to remote work, 56% of security professionals globally say that cybersecurity staff shortages are putting their organizations at risk.

Skill shortage increases the workload on existing staff and more experienced professionals, with 75% of security professionals citing increased workloads and being on call contributing to burnout. A nugget of hope, though, is the new crop of college graduates entering the cybersecurity workforce. With more universities developing programs focused on cybersecurity, the supply of talent will hopefully help diminish the skill gap.

Finding the time and resources to upskill is difficult, especially in a traditionally resource constrained environment. However, it stands to reason that by saving time in the day-to-day operations and breaking down tasks to share the workload with new college grads, employees carve out room to grow professionally.

Truth #2: Technology sprawl is real.

The speed at which the business runs creates technology sprawl. Every new person, process, and technology - the very things that run your digital operations, your business - bring risk that can grow wildly out of control if not properly managed.

But if the business can’t continue to innovate, they might as well be dead in the water. With whatever cybersecurity framework you use, the bottom line is you need to secure all your assets while empowering employees to drive business.

No matter how you look at the technology landscape, more isn’t always better. Each piece of technology may have its own means of security, but how can you, as the security leader, be strategic in your tech stack roadmap to get the visibility you need to see avenues of compromise before they happen AND respond proactively if all the controls are in different, disparate systems?

Lie: Compromise is mandatory.

The looming threat of “it’s only a matter of time before we’re compromised” doesn’t have to keep you awake at night.

Every piece of the security org plays their part to prevent compromise and protect the business. By getting a centralized view of all your cyber assets - people, policies & procedures, technology - and understanding the relationships across all of them, you are taking an attacker point of view. Attackers think in graphs.

Threat modeling teams, like the team at Aver, often spend a lot of time analyzing the paths that attackers could take to compromise systems and steal data.

It all starts with centralizing visibility of your systems and data.