Securing the Cloud is About Teamwork
December 20, 2017
I spoke about cloud at a conference a few weeks ago, but I still have lots of thoughts on the topic bouncing around in my head. If you haven’t yet, head on over to our YouTube page and check out the two videos I made on my talk and let me know what you think. For this blog, I’ll be going over some aspects of my presentation in more detail, take a look forward to cloud as we approach 2018, and anything else cloud related on my mind.
At this point, we’ve all heard and read a lot about the cloud. But how much does your security team actually know? There are plenty of online resources (ask your preferred cloud service providers where to find them) where you can learn the basics of cloud in a matter of hours and become proficient in just a matter of weeks. This is absolutely worth the time investment and something organizations should actively encourage.
Teamwork Makes the Dream Work
While cloud adoption is at an all-time high for many organizations, the key to increased cloud security adoption is about one thing: getting everyone on board. Cross-team adoption – whether on application security, IT, or other teams – can really make the difference. Remember not to overlap skills! If your organization has a cloud team – even if it’s just a few people – lean on them to help with educating others across the security disciplines for increased cloud understanding.
Beyond Security “of” the Cloud
One thing I hear tossed around a lot is, “How do we secure the cloud?” That answer is extremely complicated (and the answers are often disappointing to non-security types), so I try to re-frame people’s thinking. Instead of security of the cloud, I think about how to get better security in the cloud.
This comes down to fundamentals. If we stop looking at the cloud as a box to be secured and instead look at it as a platform on which good security practices must be followed, things become a lot clearer. Cloud security isn’t about creating an enormous, impenetrable cloud. That’s impossible. But if we work together to learn about the cloud – its strengths and weaknesses; its flaws and values – and reinforce good security basics, we’ll all be a lot more secure.
2018 and Beyond
I may be biased, but I firmly believe cloud security will be even more important as the calendar turns. Here are some cloud questions I am trying to answer as 2017 comes to a close.
What are some of the first steps an information security team can do to handle cloud growth?
First off, you can’t stop cloud growth and adoption. It’s going to happen. It’s not a fad. It’s not going away. Collaborate with and get to know the cloud team because cloud is here to stay. Education and awareness are the first steps to any security concern and that remains true with cloud.
What are cloud providers doing to improve security?
A lot! One of the most impactful things being done is simple: conversations. Raising awareness by presenting at conferences, writing papers or publishing case studies, and simply talking to one another goes a long way to get everyone on board with cloud. Introducing new tools and better reporting processes are some of the more technical things being done, but these conversations are where it all starts.
What are some big cloud concerns as we head into 2018?
GDPR – the General Data Protection Regulation taking place across the European Union – goes into effect May 2018. The regulations have a lot of organizations scrambling to figure out how exactly this will affect them. From a cloud standpoint, where data lives (and who is responsible) will get more complex. I believe this all ties back to risk and managing it. As more data goes into the cloud, the path forward to securing that data involves bringing enterprise security to the cloud.
Bottom line for cloud security is we need to practice what we preach: getting in there and getting dirty with the security teams that are developing apps and moving things forward. Cloud, in all its decentralized glory, it still extremely difficult to manage and try to secure. That will remain true in 2018. More apps will be made, some of them more secure than others. And of course, security incidents will happen (they always do).
But I am optimistic that as cloud becomes more and more central to nearly every organizations’ success, we as an industry will evolve and succeed. We always do.