I’m glad this column is coming out now instead of earlier this year. Cloud security is more topical than ever when considering all the fun things that have happened in 2021 with security startups!
Before talking about innovation and startups though, let’s talk about a brief history of cloud security… especially public cloud. Securing the public cloud is still one of the biggest unanswered questions that folks are working to figure out. Leveraging the public cloud just makes sense: few companies are in the business of running their own data centers, they’re in the business of creating value and solving customer problems. While using (multiple, diverse) public clouds is clear, securing it is another question entirely.
Now, if you take out the datacenter/virtualization-centric vendors calling themselves public cloud solutions, this category was really created a couple of years ago. I give a lot of credit to Palo Alto Networks for calling the space early and showing their interest by acquiring both Redlock & Evident.io in the CSPM space. Then they followed those acquisitions with PureSec, Twistlock, Aporeto and most recently Bridgecrew. A lot of activity since 2018!
Back in 2018, a lot of folks were (and still are) figuring out how to properly configure their public cloud usage. Since public cloud is “public”, configuration matters because everything is inherently internet facing. The layers of controls built in the datacenter world don’t exist in the public cloud so misconfiguration issues (i.e. open S3 buckets) are immediate issues.
At the same time, practitioners were hesitant to move high-risk workloads to public cloud; they had no attestation data from the public cloud vendors. When customers managed their own infrastructure, they could easily grab the context they needed from the servers. In the public cloud world, getting that data for compliance is an unscalable task when servers are shared among multiple customers.
We’re now in 2021, just three years later, and in that time we’ve seen the amount of public cloud compute spend grow from ~$250 billion in 2018 to ~$400 billion this year and continuing to grow linearly to ~$650 billion in 2024 per Gartner.
When we start talking about spending hundreds of billions and at that growth rate, it’s natural to say there is going to be opportunity to help make sure that spend is secure. Hence this category and this column.
In many ways, public cloud problems look similar to legacy data center problems. The biggest causes of security incidents are still the same: misconfiguration, vulnerabilities/missing patches, bad passwords, phishing and insecure code. The biggest difference today is the increased exposure from public cloud and the speed at which organizations seek to move their infrastructure and business software there.
And because of those similarities, I envision most practitioners who do take on a cloud security project in 2021 will focus on visibility and compliance first.
Attestation/visibility was always one of the first issues that held folks back from the public cloud. Every company is held accountable by their customers, auditors and their regulators to certain standards. Without data from the cloud providers, leveraging the public cloud was an unsolvable problem for regulated workloads. And while this problem hasn’t been fully solved, with the help of new tooling and integrations, running sensitive workloads in the public cloud is now possible! The difference, however, is a new set of policies before we move onto a new set of compensating controls.
And the reality is that everyone agrees that they have compliance obligations. Enterprises today still have to prove that: 1) they are collecting the evidence to generate asset and user inventories; 2) showing they are actively looking for potential risks, issues & vulnerabilities; and 3) that they are matching their work to industry standards.
Cloud security is really that undefined right now… and that scares a lot of people. It’s difficult to invest resources to build and implement compensating controls nowadays because the consensus technology/solution could turn out to be something else entirely. So my recommendation for folks working on public cloud this year… instead of fighting compliance, join them. Just like practitioners, some consultants are way ahead of the pack and have a great sense of the future because they’re solving the same problem for multiple customers. Go find those leading-edge advisors and work with them.
At the same time, double down on visibility. Look at scaling up your efforts to ingest cloud-related data from multiple sources and controls. Like the SIEM collecting data in the network world, we’re going to also see a platform collecting a variety of cloud-related data in this new world. All with the purpose of making sense of the multitude of activities happening across an organization on the public cloud; just like the SIEM helped to make sense of the activities on a growing network.
And just as we went deeper into the network by deploying EDR agents on our endpoints, cloud visibility is going deeper into the steps that lead up to the software being deployed in the cloud. In essence, the combination of “shifting left” and “cloud security” is going to happen and be called “shifting everywhere.” A logical outcome considering we’ve broken apart the responsibilities of the network administrators of yore and given many of those admin rights to our developers to enable agile development in the modern multi-cloud world.