"I hate cloud security." Part 1 of 3

"I hate cloud security."

Is this you?

I don’t think this is a particularly controversial or uncommon view of cloud security. But I do think if we try to understand why we hate it more than a Monday morning paper cut, we might learn a few things. So, come commiserate with me for a few minutes, and then we can cowboy-up together and go make our clouds safe for our developers, our clients, and our clients’ clients.

Why does cloud security deserve the hate?

Well, the cloud represents an almost perfect democratization of technology. ANYBODY can buy a cheap (or even free!) ticket to the cloud. There’s no test to pass, no skills to demonstrate, and no capital investment to make. In the cloud, everyone can be a server administrator, an app developer, a cloud native architect, or any other role they want to be. No constraints whatsoever! Sounds pretty good, maybe the ultimate version of technology freedom, right? It’s also freedom to misconfigure, freedom to expose data, and freedom to make all sorts of security mistakes and omissions. When you hand your toddler the keys to the minivan, you have to expect accidents. VMs vulnerable to compromise? Check. Data exposed to the public? You bet! Cloud-scalable data downloads for the bad guys – great!!

To make cloud services easy to buy and easy to use, and therefore popular, our favorite public cloud service providers themselves are also complicit in cloud-toddler endangerment. Cloud resources are often not secure by default, nor is it typically easy to understand what needs to be done to secure them. Proper compliance enforcement costs extra – in tools, skills, time and attention.

Guess who budgeted and planned for that?

And let’s not forget the new services being added every day. What data does the new cloud native wonder-service expose? Is it another door into your enterprise? Does it put any of its cloud service brethren at additional risk? Most importantly, how do we hope to secure it if we don’t even know it exists? Ultimately, security in the cloud is difficult, hard to explain, often unplanned, and it’s not going to get simpler anytime soon.

Okay, enough hate for one post. Let’s talk about the steps to take so your cloud security efforts can be a little less painful.

Part 1 of 3 – Knowing Your Estate

It’s important to know your entire estate. Cloud provisioning is extremely frictionless, so anyone can do it with a credit card. It’s no good securing 95% of your EC2 instances – you need to know them all.

• If you already have solid IT governance, you’ve got a framework to apply to cloud. Use it to manage at the account level and keep track of which teams and groups own which cloud accounts.
•  If you don’t have strong IT governance, that’s ok. Work with procurement and/or the expense management team in your company to help, so you can start to track and control cloud spend, giving you another lens on what your organization is doing and even helping you control it.  
• If you’re an organization that is quite conservative, whether by culture or because of the regulatory environment you operate in, you might even have a leg up here, because you may be able to prevent cloud adoption before your security program is ready to support it, rather than chasing behind it.
• Once you know your accounts, you’ll need to work with your teams to understand what cloud services they are using. Regular “discovery scans” are a must, as accounts have a tendency to grow organically. It’s important to know the services your teams are using so you can focus your efforts on the right technologies, as you seek to get it all under proper compliance monitoring, and ultimately non-compliance prevention.

I discuss Steps 2: Measuring Your Compliance, and Step 3: Cleaning Up to Prevent in upcoming posts ... stay tuned!