The pandemic crisis created a rapid shift of workloads to the cloud. It also created new risks and cybersecurity challenges. As the continuous change, disruption, and persistent threats becoming the new operating normal, companies struggle to keep their cloud estates and endpoints secure.
Cloud security is critical as companies increasingly look to cloud computing to rapidly scale and launch new services without substantial capital investment. With more mission-critical business processes underpinned by cloud technology, it is also vital to protect valuable data that resides in the cloud and cloud-based business processes.
Migrating workloads to the cloud has its fair share of challenges. Companies typically need to manage a mix of on-premises technology and multiple clouds, including a variety of IaaS, PaaS, and SaaS providers.
Having a unified view across all assets, cloud or on-premises, is proving to be complex. The increasing risk from cyberattacks associated with cloud migration and hybrid cloud implementations compound these complexities.
The interconnected nature of hybrid and multi-cloud environments means that a security breach in one area could become a gateway for attacks across multiple clouds and even on-premises.
Remote working, which sees more users, devices, applications, and data located outside of the enterprise, massively expands the attack surface. It creates many more new opportunities for threat actors.
Many security controls are not designed for the dynamic, distributed, and virtual nature of cloud environments and widely dispersed remote working.
Security is often unable to scale across an expanding number of people and devices located outside the traditional enterprise perimeter, and policies are not fit for purpose.
New technology architectures are also often not aligned with security policies, leading to misconfigured clouds, opportunities for unauthorized access, and insecure interfaces/APIs.
Even if the architectures are aligned, remote workers often use devices that do not comply with security policies. It further expands the attack surface and creates new vulnerabilities, made worse by compliance, governance, and risk management structures either not being in place or having no clearly defined accountabilities.
Watch Sean Duca, the vice president and regional chief security officer (CSO) for Asia Pacific & Japan at Palo Alto Networks explain why CISOs need to widen their mandates.
Cloud service providers adhere to a shared security responsibility model, which means your security team maintains some responsibilities as you move applications, data, containers, and workloads to the cloud. The provider also takes some responsibility, but not all.
This shared responsibility model for security between cloud service providers and their customers needs to be understood in greater depth while planning security for different cloud services being consumed.
Many companies have simply not adjusted to a new shared responsibility model for cybersecurity. This can leave huge cybersecurity gaps, particularly regarding access controls and security posture alignment across clouds and on-premises resources.
Supply chain hangover highlights the need for DevSecOps
Cloud is modernizing the software development lifecycle — building a zero-trust framework is becoming very important with today’s sophisticated attacks. The recent SolarWinds attack showed how third-party risks can indirectly impact all businesses. We need robust processes to mitigate these risks, including clear identification of dependencies and accountabilities.
Identifying such an attack needs a different approach — it requires much more than traditional antivirus solutions, firewalls, intrusion detection services, and other monitoring apparatus.
Security needs to be part of application design. Baking security into the process of coding builds much greater agility into security. The widespread use of cloud-native technologies, including containers, serverless, and microservices, enables the continual integration and continuous delivery of updated code without impacting an application’s performance.
DevSecOps ensures that developers think about security as they write code and allows security issues to be addressed quickly if they appear after deployment, internally or from a third party. For cloud-native applications, DevSecOps is essential for the continued security of cloud workloads.
It can be assumed that many more supply chain attacks remain undetected. Worse, as supply chains become increasingly integrated and automated, the security risk from partners increases.
The SASE and Zero Trust promise
In addition to baking security into code, companies need a set of policies, procedures, and technologies that work together to protect cloud-based systems, applications consumed from private data centers, IaaS, PaaS and SaaS, data, and infrastructure. From authenticating access to filtering traffic, cloud security must be configured to the company’s exact needs.
Watch Sean Duca explain Palo Alto Networks' approach to zero trust.
The Secure Access Service Edge (SASE) is an effective way of delivering security services in a consistent and integrated manner to support the needs of hybrid cloud environments, edge computing, and remote working. It offers much lower latency, greater visibility across assets, and centralized control.
SASE is also essential for the development of a zero-trust approach to security. In addition to addressing many of the challenges associated with hybrid clouds and remote working, a zero-trust approach plays a significant role in mitigating third-party risks. It involves moving defenses from static, network-based perimeters to focus on users, assets, and resources. Trust is no longer granted to assets, user accounts based on their physical or network location, or asset ownership. Authentication and authorization must be performed before every session to a company asset is established. Offering users too many privileges is just risky.
Andrew Milroy is a contributing editor at CDOTrends and the founder of Veqtor8, a Singapore-based digital risk advisory firm. In addition to digital risk management, his interests include cloud computing and AI. You can reach him at [email protected].
Image credit: iStockphoto/http://www.fotogestoeber.de