By taking workloads from on-premises to the cloud, chief information security officers (CISOs) can lower their cyber risk in many ways, particularly by eliminating the need to install patches for on-premises applications.
But the cloud doesn’t eliminate risk, a speaker at IT World Canada’s MapleSEC online conference warned Tuesday. It merely distributes it differently.
CISOs need a holistic cybersecurity strategy that encompasses workloads wherever they are, said Keith Mokris, product marketing lead for Palo Alto Networks’ Prisma cloud management service.
Each cloud provider makes sure its service is secure, he said, but customers are responsible for configuring their own cloud resources. That includes configuring and securing cloud networks, and protecting their hosts, containers, application and storage from vulnerabilities.
He also reminds CISOs that cloud workloads still have to meet corporate compliance standards. An unencrypted database in the cloud could violate SOC 2, PCI-DSS, HIPPA and other standards or a firm’s internal security requirements.
One problem is there isn’t one cloud. There are three cloud stacks: service providers, like AWS, technology and compute providers, and application providers. An organization might have virtual machines, containers or Kubernetes applications connecting to storage databases or automation components, all in the cloud, Mokris said. “Security needs to connect to all these different layers in a comprehensive way because if I have risk in one area it can impact my overall risk.”
Be prepared
In a Palo Alto Networks global survey a year ago, infosec pros estimated that by this time 64 per cent of their workloads would be in the cloud, and Mokris believes the prediction has been fulfilled. But, he noted, not all organizations are prepared. For example, research shows that many organizations are using application access keys for more than 90 days. “If you’re not rotating access keys and managing them in a secure manner they can become stale, outdated and not meet the security posture you want to deliver,” he said.
Vulnerability management isn’t just for hosts, he added. It also has to be done for container images and serverless functions, as with any other application component.
For example, he said, research shows 24 per cent of cloud hosts have known vulnerabilities, many of which could be addressed by infosec teams. Research also shows 60 per cent of organizations aren’t following network configuration best practices. Insecure network configurations could lead to data loss, he said.
Three keys
There are three keys to security protection and compliance in the cloud, Mokris said:
1 – Monitor every resource with an application that gives visibility and control over your entire cloud. If you don’t know where everything is deployed – which, he admits, is difficult in a multi-cloud environment – it’s going to be difficult to achieve a high level of security;
2 – Identify and prioritize security issues, which can then be remediated. “As you get more mature and start to understand where risks originate, then you can implement guardrails or security controls as part of the application life cycle. Then you can pass these flaws to your development and DevOps teams and make sure they can address them in a comprehensive way.”
3 – Ensure you can implement and maintain compliance. This isn’t about “flying through your next audit,” he said. “It’s about making sure you can be effective day over day in addressing industry frameworks or internal compliance regime.”