As cloud infrastructures become increasingly API-driven and dynamically spread across expansive attack surfaces, achieving clarity proves difficult. Compounding this challenge is the integration of DevOps practices, microservices, and container technologies, which, while fostering agility and scalability, introduce additional layers of complexity and potential security blind spots.
In this Help Net Security interview, Kennedy Torkura, CTO at Mitigant, discusses the complexity of maintaining clear visibility into cloud environments, why it poses such a challenge for CISOs, and how they can prepare to address potential issues.
Can you discuss the role of visibility in managing cloud security and why it’s such a significant challenge for CISOs today?
Visibility into the security posture is critical for staying ahead of the cloud attackers due to the nature of cloud infrastructure. Cloud infrastructure is largely API-driven, composed of dynamic resources mostly spread across a wide attack surface. The combination of these factors and many others poses huge challenges to effective cloud security. Therefore a core requirement for having a grip over cloud security is enabling reliable visibility. Several mechanisms could be leveraged to enhance visibility, including implementing logging and monitoring mechanisms, enabling change management strategies that track all changes in cloud resources and configurations, and implementing threat detection and incident response strategies.
How does DevOps’s dynamic environment, especially with the introduction of microservices and containers, contribute to the complexity of maintaining clear visibility into cloud environments?
Despite their advantages, microservices and containers bring in several layers of abstraction, which increase the complexity of cloud-native systems. The Kubernetes security team uses the notion of the “4Cs of cloud-native security ” to explain this phenomenon. Microservices and containers operate at various abstraction layers composed of several technologies, including different kinds of communication protocols. Security mechanisms are usually designed to address security issues in specific technologies.
Consequently, this limits the effectiveness of security mechanisms with an abstraction layer. Ultimately, in a cloud-native infrastructure, several security mechanisms are required to enable visibility. However, these security mechanisms often operate in silos and thus struggle to provide unified visibility. Overcoming these challenges requires deploying communication channels across disparate security mechanisms in the various abstraction layers. Moreover, microservice and containers are designed to be dynamic hence tracking and maintaining visibility is challenging.
Considering the increasing trend of threat actors exploiting misconfigurations to infiltrate organizations, what strategies should CISOs adopt to mitigate these risks in their cloud environments?
The rate of prevalence and sophistication of threats is rapidly increasing, which is a huge concern for many organizations. There is no one-size fits all approach to overcoming these challenges; mature organizations with sufficient security budgets have not been spared, so the solution is not just about having the sufficient budget to acquire the best-of-breed security solutions. Basic security hygiene forms the foundation for mitigating the associated risks. Organizations need to ensure this by fostering a culture of cyber security. Furthermore, the notion of “assume breach” is imperative, given there is no guarantee of achieving 100% security.
Organizations need to implement security mechanisms that continuously validate the efficiency of security mechanisms. Several security solutions can be leveraged to continuously validate security efficiency, including security chaos engineering, adversary emulation, and threat hunting. The last point I’d like to mention is moving from cyber security to cyber resilience. While cyber security aims to detect and prevent attacks, cyber resilience drives towards stopping or adapting to attacks while enabling business continuity in the face of adversity.
How does using multiple public and private clouds and on-premises environments add to the management complexity and operational cost?
Using multiple public and private clouds, along with on-premises environments, introduces various challenges that can contribute to increased management complexity and operational costs for organizations. While multi-cloud and hybrid environments offer various benefits, such as flexibility, scalability, and resilience, they also come with inherent complexities that must be carefully managed. The usage of multiple public and private clouds, including on-premises environments, implies diverse infrastructure with different APIs, technologies, etc.
Maintaining a consistent security posture in this diverse environment is seriously challenging. Security mechanisms would differ per cloud, and the skills required to manage the mechanisms would equally be different. The impact of this diverse environment cuts across people, processes, and technology and potentially creates blind spots that attackers could leverage. Similarly, the attack surface exposed in this diverse infrastructure is challenging to govern.
Can you describe the problems organizations might face when they add cloud services in an ad hoc manner? How can such practices be improved?
Cloud services provide a lot of value for organizations. However, the decision to add more cloud services needs to be governed and considered not just from a functionality perspective but also from a security standpoint. The notion of security by default should be adhered to, especially as cloud services tend to have overlapping functionalities; thus, adding more services without adequate planning might result in redundancy, wastage of resources, and unwarranted expansion of the existing attack surface.
These can be avoided by adopting several security practices, including security architectural and design reviews and threat modeling exercises to justify the need for these services. Other approaches to address this issue include the use of services provided by cloud services providers for enforcing organizational-wide policies, e.g., AWS Organization. With such services, stringent governance can be applied to avoid either intentional or erroneous use of cloud services not previously planned.
With few IT teams possessing the requisite expertise to manage hybrid deployments encompassing multiple public clouds, private clouds, and on-premises environments, how can CISOs prepare to address potential issues? What training or skill enhancement can be done?
A huge challenge in the industry today is the lack of sufficient skills. Several measures could be implemented to counter this challenge, including providing an educational budget and training opportunities for staff to acquire knowledge and skills related to their job roles. Several online training programs offer cloud training programs for organizations. Organizations can leverage these opportunities by subscribing to such programs and encouraging employees to enroll and undergo these programs.
Furthermore, cloud training programs could also be organized within the organization where external or in-house subject experts are invited to share their knowledge. This can be a mix of theoretical concepts and practical game-day style/hackathons that allow practicing cloud computing skills.