[PANEL] Cloud Security Common Sense Tips & Tools

On-Demand

Video Transcription

Ed Moyle:
Hello, and welcome to this Bright Talk webinar session today, Cloud Security Common Sense Tips and Tools. This is a panel-based session and I am very excited about the panel that we have today. My name is Ed Moyle and I thought that it might be a best way to get us started, to just give the esteemed panelists that we have with us today, an opportunity to briefly introduce themselves. The first gentlemen that I’d like to introduce you to is Tim Woods. Tim, can you give us a brief background of yourself?

Tim Woods:
You bet. Thank you very much. So my name is Tim Woods. I am vice president in charge of technology alliances at FireMon. Been at FireMon for just about a little over 12 years. And FireMon’s value proposition is extending visibility across the hybrid enterprise or giving an organizations the ability to deal with growing complexity within their environments. At the end of the day, it’s all about managing risk to a level that’s acceptable by the business. And that’s what we’re trying to do.

Ed Moyle:
Great. Second panelists that we have is, Raef Meeuwisse, who I know very well. Raef, would you like to give a little background of yourself?

Raef Meeuwisse:
Sure. Hi, my name is Raef. I’ve managed some mightily, big security budgets in my past, sort of eight digit budgets, which was very nice to do, and I’ve also audited quite a lot of different cloud providers. So that was quite good fun as well. In addition to that, I’m probably most known for writing Cybersecurity For Beginners, a book that sold heading up for 20,000 copies now. So that’s much appreciated. Most of those in the US, so thank you very much.

Raef Meeuwisse:
Also books, like How To Hack A Human, go out and get that one now. I’m currently working on some comedy, so there might be a comedy audio book out shortly on cyber security. But this session’s serious. So, I’ll pass back to Ed.

Ed Moyle:
Well, most cybersecurity is comedy at its core, anyway, isn’t it?

Raef Meeuwisse:
Yeah.

Ed Moyle:
I’m just kidding. And also Nathan Burke. Nathan?

Nathan Burke:
Hey there. I’m Nathan Burke here. I’m the chief marketing officer at Axonius, and we are a company trying to solve the least sexy part of cybersecurity, asset management. We do exactly three things. We just connect over 135 different security and management solutions. We can do three things, we can give customers a comprehensive asset inventory. We can uncover a security solution coverage gaps, and then automatically validate and enforce policies. So, we’re covering over a million devices customers like the New York times and Schneider Electric, many, many more. We were named the most innovative startup of 2019 at the RSA Innovation Sandbox. And we were SE Magazine’s Rookie Cybersecurity Company of The Year.

Nathan Burke:
And then quickly about myself, this is my third cybersecurity company, the first being CloudLock and early CASB solution that was bought by Cisco in 2016. My last was Hexadite, a security automation company bought by Microsoft in 2017, and now I’m at Axonius. And then finally I live in Cape Cod with my wife daughter and two dogs. So I just hope that my 14 year old Cory over here, isn’t snoring too loud to be distracting.

Ed Moyle:
Well, I can’t hear, hopefully other folks can’t as well. But thank you, that’s a great background. Hopefully folks can tell why I’m so excited about this particular discussion and this particular group of folks to talk about it. We are going to be talking about cloud security tips and tools, common sense approaches to stuff. We know that folks are challenged by this.

Ed Moyle:
Just as a way to kind of get our conversation started, I had gone out and taken a look at some of the most recent statistics that I could find, just in relation to adoption, but then also kind of the security challenges for cloud. I thought I might kind of start with some of these. According to 451, 90% of companies using cloud as a 2019.

Ed Moyle:
IDG backs up that number basically indicating that 89% are using cloud specifically SaaS. Cisco forecasts that cloud data centers will process 94% of workloads by 2021. Data from Forcepoint indicated that 94% of respondents cited security as one of their chief concerns. IDC said two thirds of companies cited it as the single biggest adoption barrier.

Ed Moyle:
And then one thing that I thought was really interesting was Gartner saying that 95% of the cloud security failures that we’ve seen, are actually caused by customers rather than the providers themselves. I just kind of wanted to put those out there as kind of a germination point for us to start thinking about this, as we kind of leap into this.

Ed Moyle:
And one of the things that I think is really interesting to look at, that I think is maybe borne out by the data, is the change in cloud computing. Maybe we can start there and maybe just kind of based on background and stuff like that, Nathan, it kind of sounded like you’d seen a lot of things over the years in terms of your watching customers adopt this and so on. Maybe you could start us off. What are the biggest things that you would highlight that you think have changed over the past few years in reference to either cloud generally and organizational usage of it, or security specifically?

Nathan Burke:
Sure. It just reminds me of, I remember just if I travel way back in time in the early days of Cloudlock, I remember being at a Gartner conference at a booth and having a CSO come up to me and say, “So what do you guys do? Cloudlock, what is that?” And I said, “Well everyone is moving to the cloud, so we’re trying to secure all of the data that’s in there.” And he said to me, with a straight face, “You’ve got to be out of your mind. I would never move any of my data to the cloud. Forget it.”

Nathan Burke:
And then today, once you mentioned the 90 and 95% numbers, it’s funny because I would argue those are all wrong, because 100% of companies are out there using the cloud in some way. Whether it’s sanctioned, we’re using AWS or Azure or whatever, or the marketing department has to get something done, they’ve got a credit card and they sign up for something and they use their Google credentials or their Microsoft credentials.

Nathan Burke:
Everybody is using cloud in some way. And I think one of the things you alluded to is absolutely right, which is, it’s the idea of kind of seeding control. We used to live in places and companies where the IT department and security department was the department that either said no, or gave tools and said, “Use these and nothing else.” Those days are over.

Nathan Burke:
And it now becomes a question of learning what you do have and applying the proper security policies to those things that you have, or the things that you’re going to have, and haven’t even thought of yet. So, everyone is there in different flavors. It’s a continuum, but I would say 100% of companies out there, save maybe a three letter agency, are using the cloud and that’s just the fact.

Ed Moyle:
So you hit on something that I think is really interesting, that I want to explore a little bit. And just a real quick five second story, I used to work for a large cloud provider. And one of our customers had said, “Well we don’t want to use this particular vulnerability assessment scanner because it’s hosted in the cloud, it’s cloud-based.” I didn’t say anything about this at the time, but I happened to know, because they were also our client, that the rack where the vulnerability assessment scanner was, was not three feet away. It was like the next rack over from where these folks were. It’s just kind of interesting to hear you say that kind of about just the ubiquity of it. I Tim, Raef, do your experiences kind of jive with Nathan, are you seeing anything different?

Tim Woods:
It’s not only that they’re using cloud, they’re using multiple cloud providers also. It’s not just one. We deal with a lot of large enterprise organizations as well, and a lot of them don’t even know which organization is using what public cloud provider. It gets a little even more hairy. Not only are they using cloud, adopting cloud, embarking on their digital transformation journeys and cloud-first strategies, but they’re using multiple cloud providers.

Tim Woods:
So what happens there. There’s this whole concept about shared responsibility models in the cloud as well. So who has responsibility for what? But Nathan’s absolutely right, that who’s taking control for managing it now, and who’s responsible for the security controls around those things that are going into the cloud, the assets, the applications, and the services as such, that people want to provide access to their customers for, that’s becoming fragmented as well. And that’s introducing its own set of challenges.

Ed Moyle:
So Raef, let’s talk about this multi-cloud. The idea that, not only are folks using cloud provider A, but they also might be using provider B, C as well. Maybe they have some aspect of what they’re using that’s maybe within a private cloud. One of the statistics that, that I looked up, but it didn’t make the cut, was one that cited that, 38% of workloads for the average organization or in public cloud, whereas 41% are in the private cloud. I think it was maybe RightScale that came out with those numbers. From your point of view, does that introduce any kind of special security problems? It sounded like Tim and Nathan, maybe both alluded to some of the asset management challenges.

Raef Meeuwisse:
I agree with what Tim and Nathan have said. But I think more, there’s been this movement, first of all, you had a lot of organizations saying, “We’re not going to use the cloud. We’ll never use the cloud.” And then you’ve got the next thing, “Oh, we had no idea that our employees were using the cloud.” Because they started buying it left right and center. And then it was like, “We don’t really know how to secure the cloud.”

Raef Meeuwisse:
So as you’ve had increasing adoption, the security risks have gone up, there’s a kind of recognition of it. But I think one of the things I would say is, preventing things like employees taking on cloud services without the organization knowing what they’re doing, is really down to the fact that a lot of organizations are still, to some extent, a bit nervous. They’re using the cloud, but they don’t necessarily know how to use it well.

Raef Meeuwisse:
And they’re still fearful about setting up processes that enable employees to do it in a safe way, in an orchestrated way, in a way that you can use security solutions to then help orchestrate what you’re doing. I think that’s still quite a major problem. And certainly harking back to my experience going on auditing cloud services, you had these ridiculous situations.

Raef Meeuwisse:
Like I remember one, I’m going to mention Salesforce here, because they were actually quite good. When I went in and I actually got a chance to look at them. If you’re a big multi-billion cloud provider, you’re unlikely to have any glaring security issues. And it’s quite right in the stats that you mentioned, that the problems can therefore be more to do with customer configuration or customer usage.

Raef Meeuwisse:
But again, you would find that customers would just spend all their money trying to work out how to fix security gaps in a massive cloud provider, and then allow a synchronized, full copy of the database to go to a very small private cloud, located with practically no security. Because they weren’t paying much for it, they also wouldn’t do very much on the security side. And I think that’s one of the biggest problems with cloud, that the size of the risk has nothing to do with how much or how little you’re spending it. It has to do with the value of the data or the services that are going through it.

Ed Moyle:
So this kind of implies, it seems to me like, keeping our focus kind of on the tips and tools piece. Hearing you guys talking about this, and kind of some of the themes that I’m hearing you say. In my mind, I start to think discovery and inventory. Is this something that organizations have… Historically, are they where they need to be from a discovery standpoint? How are they approaching this? Maybe Tim, do you want to try taking a swing at that one? From an inventory discovery perspective are folks where they need to be?

Tim Woods:
No. And I think that’s one of the biggest… We just completed our 2019 State of the Hybrid Security Cloud survey, where we talked to over 400 individuals and we got that published on our website. It brings out some real interesting points. But one of the biggest barriers or concerns is, not only the security controls, but just the general lack of visibility. So, as I’m moving things into the cloud, some of the tools that I’m using, that I have used on prem, they don’t necessarily translate whenever you go to the cloud. So, I’m not getting that same level of comfort. I’m not getting that same level of visibility as I’m moving these things into the cloud.

Tim Woods:
Really hard to secure something, if you don’t know where it’s at. It’s very hard to secure something if you can’t see it. So, understanding where those things are at a given point and the cloud is so dynamic also. Things kind of spin up and spin down, they can change, they can move. Imagine trying to protect the president, the secret service trying to protect the president, and they don’t know where he’s at. They wake up in the morning, they go, “Well, we need to protect the president, but where’s he at today?” “Well, we don’t know.”

Tim Woods:
Now, you can’t protect something unless you know where it’s at, who has access to it, who should have access to it, who shouldn’t have access to it. As you’re deploying things to the cloud, I always tell people, before you get into the issue of cloud sprawl and we’re already seeing, and we’re having customers engage us around just cloud sprawl, and it gets into things being deployed in the cloud without a well-defined process, without a well-defined tracking mechanism, without a well-defined roles of responsibility on who’s taking the responsibility, not just for the internal security, but the surrounding security as well. So, if you don’t have a well-defined process for how you’re managing that, then you’re guaranteed to run into some problems down the road.

Ed Moyle:
Absolutely. I probably should have mentioned this at the beginning, but just as questions start to come in from the audience, I’m just going to try to get them put out there so that we can make sure that folks questions get answered. There’s a couple of them that have come in that are a little bit related, which is basically, if you’re an organization, and you have a security strategy, you have a security program, you have a set of security tools, that you’ve honed and built out over the years. When it comes to both public and private cloud, what should organizations be looking to do to adapt that strategy, to adapt that tool set?

Ed Moyle:
Nathan, you’d want to take a swing at this? Like what would be kind of the practical advice for folks who want to make substantive changes to their strategy and program based on what you guys are saying?

Nathan Burke:
The way that I look at it is I think there’s a couple of components. There’s first, the most basic of just trying to understand what you have. So there’s the inventory piece and what Tim mentioned is some of the issues here are both the speed and the fact that the tool set doesn’t necessarily work for the cloud. And the example I always give is a VA scanner. If I’m using a Tenable or Qualys or whatever, or Rapid7, to help do vulnerability scanning for my network, well, it does a fantastic job, because it knows where to look.

Nathan Burke:
But if my tools don’t know that there are cloud instances being spun up and down all the time, there’s just no way they’re going to work. I think the first part is just finding a way in a process to identify exactly what you have, making it an ongoing process, such that something new shows up, I want to know what it is. And then the really the next level down is I want to know what’s on these things and where the vulnerabilities lie.

Nathan Burke:
One of the best examples that I have right now is, our customers are moving a lot to say Amazon, and they’re saying, “I want to know any time there’s an Amazon instance that isn’t being scanned by my VA scanner.” And that’s great. That’s a good piece of info to know. but then I want to know, “Wait a second there’s a lot of those. I want to know, anytime there’s an Amazon instance, not being scanned, with a public IP address.” That’s something I can also prioritize.

Nathan Burke:
Then I want to say, “Well, what does the outside world know about it?” Let’s marry it together. What is known from Amazon, what is known or not known from my tools, but also what’s known from the outside world. So taking the showdown data and say, “This is what we know about it. This is everything we know.” So I think just kind of working backwards, it’s just understanding what you have for an inventory in the cloud, having a process to keep that up to date, to find new, and then really, to find out anytime something derives from what your policy is. And that’s a very high level, but I think that’s really the approach that’s needed.

Ed Moyle:
One of the things that strikes me about that is that that applies, regardless of whether it’s whether it’s multi-cloud or whether it’s one key provider that you’re working with.

Nathan Burke:
Sure.

Ed Moyle:
Raef, maybe you could speak to kind of the inverse of that. Which is, Nathan, I think kind of teed up really well kind of the changes to the program piece, but what about the assessment piece? Like what about from a compliance assessment evaluation side of things? Does multi-cloud change anything? How does that have to change?

Raef Meeuwisse:
It does and it doesn’t. First of all, if you’re looking at it from an organization, top down approach, then if you have a clear high-level policy about cloud adoption, how do we approach it? How do we enable it? Then that’s helpful. Then that has to be articulated into an architecture. Because at the end of the day, if you’ve got a security architecture, then even when you procure cloud services, you kind of have an idea about what you’re going to require on the security side.

Raef Meeuwisse:
And if they don’t fit what you require, then you can take it through an exceptions process and make sure that you are aware of it upfront and make necessary kind of additional balance for that. And that’s the thing about multi cloud, is if you’ve got those core things nailed within the organization that’s procuring and acquiring these things in the first instance, security by design and so forth, it makes everything a lot easier. And you still need things like cloud discovery tools to help mop up. I tend to buy the employee led spool that might happen.

Raef Meeuwisse:
But again, if you’ve got policies and procedures in place, that if I’m an employee in an organization, I want to use a new cloud service, I don’t feel like I have to hide it. I actually know that I can take it, they will help me. They’ll either provide me with an alternative that is secure, or they will give me the rules and parameters. And that tends to be the thing about multi-cloud.

Raef Meeuwisse:
Ultimately, it’s good if you can go and do the security checks and balances on each one, but it’s not always realistic because there’s so many of them. If you have that top down approach nailed, at least you know from a initial assessment perspective, whether or not they have the security functionality that you’re looking for and whether or not anything that goes wrong can be easily identified as quickly as possible and resolved through your normal security incident, event management and so forth.

Ed Moyle:
That makes sense. All right. Last one on this and then we’ll move the conversation forward a little bit to some of the areas that we want to explore. But I’ll just put this one to the group. Which is that, we’ve all seen these kinds of shared services models, where different folks have. Amazon has kind of their expectation of what a customer needs to do from a security perspective, versus what they’re going to do. Microsoft has a similar kind of thing.

Ed Moyle:
I’m assuming that pretty much any kind of provider, whether it’s SaaS, PaaS or IaaS, any of these kind of pillar models, have something like that. Who specifically within the organization, like whose responsibility is that, for keeping track of what is the customer responsibility in kind of this multi-cloud world? Whose responsibility is it, and how can they approach doing that? And I’ll just put this to whoever has an insight on this one.

Tim Woods:
I think it’s Wild, Wild West right now. Number one, the first part of the equation is understanding that there is a shared responsibility model there. I think it was both Nate and Raef, you can swipe a credit card, you can nail up services, you can deploy your corporate data in the cloud very easily just by swiping a credit card, so to speak. People don’t understand how easy. Some people don’t understand, a lot of people do, how easy it is to actually nail up a service and put data into the cloud and make it publicly accessible.

Tim Woods:
But understanding what I have responsibility for and what the cloud provider is providing has responsibility for, and then identifying who has to understand that, so that we can take action as it relates to applying security controls around that data, is the second part of the conversation.

Tim Woods:
And today, we’re seeing Dev Ops take responsibility for the things that are being deployed in the cloud. We’re seeing the business owners, the stakeholders we’re seeing new cloud security teams develop. And in some instances, I am seeing some of the traditional IT security teams take ownership for the cloud deployments. But they’re not expanding those teams either.

Tim Woods:
You’re looking at teams that are already stretched too thin. Nobody is telling me that I have too many resources. And all the while, as the business, for the right reasons are deploying things into the cloud, we see the business accelerating past our ability to secure it in a consistent manner. And so, it’s developing into a real big problem. But it’s definitely Wild, Wild West.

Ed Moyle:
Interesting perspective. I think you’re right. Which kind of gets us a little bit into our next area. Because we’ve kind of been talking a lot about multi-cloud. And we’ve scratched the surface, I think a little bit, of hybrid cloud. But maybe let’s dig into hybrid cloud a little bit. From a hybrid cloud perspective, specifically, and Nathan, maybe let’s start with you on this one. When it comes to hybrid cloud, from a practical standpoint, we’ve talked a little bit about different changes in tools, changes to security program and so on. For hybrid cloud specifically, what would be some advice and tips? How can organizations approach this?

Nathan Burke:
Actually you know what, I think I’m going to punt this one. Because I’ve had a lot to talk about on the other ones, but I think this is something one of either, Tim, go ahead and take this one, because you’re going to have a better perspective than I am on this one.

Ed Moyle:
Either of you have a perspective on hybrid cloud specifically and how that changes what organizations should do?

Raef Meeuwisse:
Yeah. I think this is an interesting question, because there’s a lot of discussion about the various marriage between on-premise public and private virtualization and cloud services. And using certain things in combination and how you interface them. And that’s the thing. At the end of the day, I think there are various merits and well, let’s say pluses and minuses of each different environment and using some in combination, can make potentially financial sense occasionally. But I think from a security aspect, it does make it harder.

Raef Meeuwisse:
I think that hybrid can work and can work very effectively, if you’ve got enormous scale, and you’re able to know that you’re going to have no issue with fixing the various security bits. But it can end up a bit like one of those Wizard of Oz moments, where you’re saying, “Well, how do I secure this? And where’s the blame?” And you end up with a lot of pointing in lots of different directions.

Raef Meeuwisse:
So for me, whenever I’ve had to look at a hybrid, it’s been a nightmare from any perspective, be it CSO audit… Because you effectively have a lot of different organizations and bits and pieces who are looking at their particular silo and getting that holistic view and getting people to take ownership and running in a consistent way, is incredibly difficult and costly from a security perspective, I would say.

Ed Moyle:
Tim, you agree?

Tim Woods:
Well, I think there’s a liability there too. We see some of the fines that are coming down when you’re found uncompliant and Raef can relate to this, if we bring GDPR into the conversation as well. You mentioned it earlier, security by design and default, which I love. I love the whole spirit of what GDPR represents, even though it applies to personally identifiable information.

Tim Woods:
Still, if you’re found uncompliant or non-compliant, or there’s a breach or something happens and you didn’t take security, you didn’t put security at the forefront of your thought process, then the potential for higher fines or a deeper impact to the business exists. And so, I love the fact that security can’t be an afterthought. Even though the business is adopting cloud, both private as we talked about hybrid, whether it’s public or private, combination thereof, they’re doing it for the right reason, for the right competitive reasons for the right advancement of the business reasons and things like that.

Tim Woods:
But if you’re not putting security at the forefront of your considerations, you’re not only going to get in trouble somewhere down the road. Let’s face it, the bad guys are out there just scanning public IPS, looking for, I always say, “Looking for the car that’s running with the windows down and the keys are in it. It’s just setting there. Why do I have to hack if it’s readily accessible? But the fines that you potentially could be imposed upon your organization as a result of being non-compliant, and not putting security at the forefront, can be crippling to an organization depending on your size.

Ed Moyle:
Well, there’s two parts to this and I want to explore both. But they’re a little divergent, so let’s maybe do one and then the other. So the first one is, there’s the compliance piece that I want to get back to that. Because I think that’s really important. And I think we have some good perspective that you all can lend to this, from a compliance angle.

Ed Moyle:
But looking kind of at the more tactical issue, in terms of what you just teed up. When you’re talking about something like secure by design or what have you, this kind of implies an understanding of the security model for these cloud providers that we’re using. But yet when we see what’s actually happening, you see people losing tremendous amounts of data due to things like misconfigured S3 buckets. Or simple configuration mistakes that could be easily avoided, but because of whatever reason, maybe it’s process-wise or lack of technical acumen or whatever it happens to be, there’s these configuration problems that occur.

Ed Moyle:
Maybe let’s address the configuration problems specifically, and then we’ll come back to the compliance issue. And I’ll just put this to the group. From a configuration management standpoint, avoiding security misconfiguration mistakes that might occur, how can people get in front of that?

Raef Meeuwisse:
I think these are really easy. because any same cloud provider that has more than one customer has available, “This is how you should configure our cloud service, as a minimum and here are the recommendations.” It’s not like it’s really difficult and you have to go to… Because the cloud provider has a vested interest in providing that.

Raef Meeuwisse:
I think the challenge for most organizations is that they don’t actually have it enforced as a set of policies and procedures and architecture in their own organization, to make sure they do it consistently. I can say from auditing many, many different cloud environments, that it was almost a given that you knew you were turn up and you knew they wouldn’t have configured it to the standards that were readily available from the supplier. Which I think goes to speak to your stat from earlier, at 95% of the cloud problems, the cloud providers were saying were due to customers or caused by customers.

Ed Moyle:
So, I don’t want to put words in your mouth, but it almost kind of sounds like maybe the core problem is failure to RTFM. Is that kind of…

Raef Meeuwisse:
I think there’s one other thing. I think the cloud providers that you deal with are often more powerful than the companies that are using them. Let’s face it, they’re often bigger. So from a blame perspective, it may not always be that the customer’s getting blamed, it was entirely their fault. It may be that they’ve just got air tight or water tight legal documentation. But that said, there’s still a vast majority who do not configure their services. And I’m sure Tim and Nathan have experience of just that. Don’t you?

Tim Woods:
Go ahead, Nathan.

Nathan Burke:
I was just going to say that, I think for better or for worse, what’s fundamentally different about the cloud is that, cloud can also mean public. It just can. The reason that we have cloud and that one of the major differences, like just think about using Microsoft Office versus using a Google Doc. Set link to public. That’s just something you can do. Because we want to be able to share, because or our organizations are no longer defined by walls and physical networks. We want to be able to collaborate.

Nathan Burke:
I almost feel like when you’re talking about the shared responsibility model, if you’re talking about an instance of Salesforce or an Amazon instance or whatever, it’s almost to me like, and I think this is to the configuration fits, when you get it out of the box, it’s pretty well secure. As soon as you start tinkering, it’s as unique as a snowflake. And they’re going to give you tools to be able to share, but share can also be public and share can also be, anyone can get there. So, it’s also the difference between who’s protecting the infrastructure, versus who’s protecting how you can figure it and who can use it. And that’s almost where I see the kind of line of demarcation of who’s responsible at that point.

Ed Moyle:
The thing is, there’s something going on here. I think this is a really important question because the one that always kind of throws me out, is the thing about Amazon has this thing called authenticated users. Which one might think would be those people who have authenticated to you. But in reality, it’s actually those people who’ve authenticated to Amazon. So, like the world.

Ed Moyle:
A lot of people will select authenticated users, thinking that just means, well, people who have authenticated to me. But in reality it’s bigger than that. I think this misconfiguration thing, I think you guys have teed up some good advice. Tim, just to kind of close the loop, did you have any advice for folks?

Tim Woods:
I think if you want to provide a little light at the end of the tunnel for those that are doing this webinar and maybe in the future that are maybe feeling a little frightened or whatever as it relates to cloud, I will say that the cloud providers are getting better. I was at Reinvent last year. I was at Reinforced this year with AWS and they introduced over 200 new pieces of functionality just around security. One of them specific to S3 buckets and securing S3 buckets and making sure that when you can check that box, not only is it secured and it’s not publicly exposed or who has access to it, but it’s also encrypted. There’s the encryption there. The security providers are getting better.

Tim Woods:
They’re also, to Ray’s point, they are providing reference architectures now, too. So you don’t have to kind of recreate the wheel, they actually have. Amazon is providing them, Azure is providing them. Whether you’re nailing up an S3 bucket, or you’re looking for some elastic storage options for Adobe or whatever, you have the capability now to follow some models to say, “Here’s step one, step two, step three.”

Tim Woods:
And obviously, there’s going to be some use unique configuration parameters that go into that as you do that, but at least you now have a guideline to follow where in the past you didn’t have that. It’s definitely getting better. We still see third party security insertion points and things like that. And I think until people become more comfortable with the native cloud security controls that are there.

Tim Woods:
And I think it goes back to education also. It’s not that the people taking responsibility for the deployments are not well-educated and smart, it’s just that they’re not well-educated as it relates… They don’t have a foundation in security. That’s not their background. Their background is getting applications out fast and quick. CI/CD and all that kind of good stuff.

Tim Woods:
It’s important that the right people are… You can have the best technology on the planet, but if it’s not used effectively, then you’re not going to get the return on the investment that you’re making. And from a security perspective, you’re putting yourself, you’re putting your company at risk if it’s not secured properly.

Ed Moyle:
Makes sense. All right. I want to come back to the other thing that you had kind of teed us off with before we got into the configuration discussion. Which is kind of this idea of compliance. Compliance considerations within the cloud specifically. Let’s talk about that a little bit. Let’s talk about maybe what are some of the things that are most concerning?

Ed Moyle:
Do folks expect that there’s going to be more compliance related challenges in cloud type environments as time goes on? What should organizations do from their overall compliance standpoint? What’s most relevant? Is it all about the GDPR? We’ve seen efforts like things like CSA STAR, FedRAMP, stuff like that, to kind of get handles around the security of cloud providers. What’s kind of the trajectory of that?

Tim Woods:
Again, cloud’s very dynamic and can be incredibly dynamic, especially if we get into containerization and all the virtual instances that goes on. But at the end of the day, change happens. Change happens constantly. And the larger the network, the more change that takes place, the more complexity, unnecessary complexity that creeps in over time that we have to manage as well, and it is a challenge for those that are responsible for it.

Tim Woods:
But understanding change, having that visibility, it goes back to visibility again. Having visibility when something changes and then asking the right question, when that change takes place. Was it good change or was it bad change? Was it expected change? Was it authorized change? Was it in the right window? Was it an ad hoc change? Was it validated change?

Tim Woods:
And from a compliance perspective, one of the first things, I don’t care if it’s GDPR or PCI or FISMA or NIS or whatever, one of the first things they ask you is, “Are you monitoring for change? Are you monitoring?” And if the answer to that is no, you’re in trouble before you even get started with the rest of the questions from your qualified security assessor.

Tim Woods:
So, having the proper tools in place that can give you good visibility across your hybrid infrastructure and can alert you to change and then giving you the ability to audit that change dynamically as it happens, or as close to real-time as possible when it happens, is the key to success there.

Ed Moyle:
You guys agree? Nathan-

Nathan Burke:
Opp, hang on.

Ed Moyle:
That’s okay.

Nathan Burke:
I’m not here.

Ed Moyle:
Raef, do you agree?

Raef Meeuwisse:
I think in terms of compliance, it’s almost like an onion. You’ve got various layers to it. And I think one of the biggest challenges I’ve often faced is that a customer thinks that a cloud service is going to do the whole thing. When in fact it isn’t responsible, the service provider they’re using for doing the whole thing. Take the example, if you were to take an analogy of a garage. If I take my car to a garage and the garage is going to fix it, I can expect them to do everything. But if I’m renting a bay, let’s say to do my own maintenance, then I might expect them to make sure that facilities are fit for purpose, but I’m going to be responsible for the thing that happens inside the bay.

Raef Meeuwisse:
And it’s the same thing with these cloud services. Often, cloud services, they can maybe provide you with a layer of compliance to say, “Look, this outside piece we do okay. But what you’re doing in the middle, that’s your responsibility.” And that’s probably the main problem and challenge I’ve seen with compliance. It’s not, can you procure a compliant service? Well depending on what you’re looking for, probably. Although you have to check very carefully.

Raef Meeuwisse:
But once you’ve procured that compliant service, you have to understand what you’ve bought. Because often, I see that’s the challenge with compliance. That people think, “Oh, well, I bought this and they’re compliant with Sarbanes Oxley or whatever and they think that just means that anything they do inside it is then going to meet compliance standards.

Nathan Burke:
I think that’s exactly right. I thin part of it too, is when you look at any of the compliance frameworks, or even something as simple as like a CIS 20 or anything like that, it’s not necessarily that they care what rack the data is on. It’s all of the controls that are related to that. It doesn’t matter if it’s on Google’s or Amazon’s or whoever’s. But I think what you do need to take into account is, what is fundamentally different about the cloud?

Nathan Burke:
And part of that is just how easy or how collaborative the environment is. In such a way that this is unique to the cloud and therefore, I have to look at this data a little bit differently, because it could be out there. I think it’s a matter of not only change management, but also understanding rights access, that sort of thing. Because these things are fundamentally different in that way, but all the same controls also exist.

Ed Moyle:
Makes sense. Okay. So I’m going to segue a little bit. Because I want to make sure we hit on this and the time that we have. Actually, Nathan, you kind of teed us up a little bit. So you were kind of talking about the changing nature of the tool set that’s required for cloud. And because tools behave in different ways that we kind of need to be alert for that.

Ed Moyle:
Just because of the fact that this is kind of both tips and tools, and we’ve talked about a lot of tips, but a little bit less so on the tools. In the time that we have, maybe we can kind of transition a little bit to talk about, is there like a must have tool set? Should organizations be looking to the tool sets that are provided by specific cloud providers? Is there like a tool set that really organizations should all be aware of? Like a universal one? Or how to folks approach what tools they should be using for a cloud type situation or multi-cloud, or even just single cloud usage?

Nathan Burke:
Either Tim or Raef, you want to start there?

Tim Woods:
So, go ahead, Raef.

Raef Meeuwisse:
No, it’s okay, Tim. You can…

Tim Woods:
I was going to say, I think going forward to the future and Ed, you said it earlier, some of the things, we’re at a place where it is the new norm. There’s things that we’re not going to go back to where we were, it’s going forward. Business isn’t going to say, “Hey, I’m sorry that you’re not able to secure it in a timely manner. We’ll slow down.” That’s not going to happen. Business is going to continue to accelerate to try to gain competitive market advantage, and for the right reasons.

Tim Woods:
But I think if we’re going to be successful in the future, as we look at cloud, and we look at our strategies going forward in cloud, I think you need a collaborative platform that better unites the stakeholders for the things that are going in the cloud and for the things that still exist on prem. Especially as we said earlier, some of the tools don’t necessarily translate that are on prem that I need to use for the cloud. But I need a tool that can kind of talk both.

Tim Woods:
Let’s face it, on-prem is not away anytime soon. I’d say hybrid’s here forever. And that may be a little extreme, and we see that it’s projected that 92% of workloads by the end of next year, will all be in the cloud. There’s a lot of stats out there and we don’t know if they’re… It’ll be a wait and see to see what’s true or not. But the thing that is true is, the business is not slowing down. The advantages of cloud are big and growing. Organizations are, can continue to adopt and go forward with their cloud first strategies.

Tim Woods:
And so, we need a platform that brings everybody together. I need a way to create an abstracted security policy, that everybody can be a participant in the conversation. And then to be able to apply those security controls to wherever they need to be applied, automatically. I need to get some of the human…

Tim Woods:
Because right now, the traditional processes that we’re using, the traditional processes that we’ve come to know and love and have used in the past, just are not working as it relates to the speed of business today. And so, we have to look at a paradigm shift of how we do things differently. And right now we have to unite whether it’s a new cloud security team, whether it’s dev ops talking to security or putting sec in the middle of dev sec ops, whatever it happens to be, everybody needs…

Tim Woods:
And there still needs to be some guidelines, but we need to have a way that we can create a global security policy that can technically enforce. So we need a global security policy that can be technically enforced, automatically and take the human equation out of it, wherever possible. If you’re not adding people, you have to automate. We have to make our people more efficient. And the only way to do that is with automation.

Ed Moyle:
I want to drill into that a little bit. Because you’re talking about using tools, you kind of started off there with talking about using tools to bring folks together. Bringing the stakeholders together. I’m wondering like, is this something that an organization has to do or cloud provider or both? And the reason I’m asking this this way is that, we have seen things like CloudTrust Protocol, from CSA CloudTrust Protocol, or CSA Software Defined Perimeter.

Ed Moyle:
Basically, initiatives that are designed to try to give additional visibility or additional control from a tool set standpoint, into cloud providers. And they haven’t been well adopted. Is it just because there wasn’t that maturity there to get there before now. What’s going on?

Raef Meeuwisse:
I’m going to take that one on, Ed.

Ed Moyle:
Yeah, okay.

Raef Meeuwisse:
I’m going to start off with anyway. I think there are certain principles that endure, about security that we should verify before trusting. When I sat and wrote security framework for a very, very large organization over 10 years ago, a lot of the materials I used then are still valid today. I think that if you think about the principles of things like architecture, encryption, orchestration, monitoring and detection, response, these are all important to cloud as much as any other cyber environment.

Raef Meeuwisse:
And if you keep them at the abstracted layer, as Tim was saying, as a set of principles, then the tooling changes over time. It’s always improving but the principles remain the same. And I think that’s the key. I think that, although there are very helpful and well-meaning articulations of these, which can be useful, at the end of the day, when I sit down…

Raef Meeuwisse:
I had to sit for preparing Cybersecurity For Professionals, which is a release for next year. But that’s the problem I had, that it used to be the case that you could very specifically say, “You need a firewall, it’s got to be this standard.” Now, that is no longer the case. Because there’s usually, several different ways that are all correct, that you can use to satisfy the same principle.

Raef Meeuwisse:
I think the only solution really, is to go back to the principle there and stop trying to be explicit and say, “This is the only way you can do it.” You can say, “This is a way you can do it,” but I think that’s the challenge now.

Ed Moyle:
Go ahead.

Nathan Burke:
I just wanted to say real quick, the reason I passed off at first, because I didn’t want to come off as somebody shilling my own product. And I said, “I’ll wait till these guys talk and I’ll figure out a way to say this.” And so the way I would say it is this. At RSA last year, there were 626 vendors. If you took 30 seconds to talk to each of them, you wouldn’t be able to do it in the time the business hall was open. Physically impossible. And that’s just the people that were there exhibiting. There are just so many security technologies out there.

Nathan Burke:
The minute you choose one, you go down a path that there’s just a level of uniqueness that no one else will have. I think what you both said is exactly right. The only way to make sense of this, is to have that level of abstraction. I think the other thing too is, when you’re talking about adoption of some of these frameworks around cyber security in the cloud, you don’t want to have different tool sets and different approaches for cloud versus on-premise. You don’t want to have that bifurcation. You want to be able to see everything at once and to kind of have that orchestration and that visibility across everything. It doesn’t matter where it is.

Nathan Burke:
I think tools will always be changing and the ability to see everything. But I think one of the big changes, and I won’t get in too deep on this, is just that now that everything has an API, having that fabric to tie everything together, finally is possible.

Ed Moyle:
Interesting. All right. So it almost sounds like it’s less about kind of having a unified tool set necessarily, and more kind of going back to understand requirements. Would you guys agree with that characterization?

Nathan Burke:
Yeah, how does your policy fit and how does everything fit your policy?

Ed Moyle:
Makes sense.

Tim Woods:
I think the focus shifts. The focus has to shift to those things that we’re trying to secure. Those assets, those applications, those resources that are going into the cloud, we develop a policy around them. And Raef pointed out, it doesn’t matter where they go or where they move, or whether they’re on prem or in the cloud or whatever, the principal and how we need to secure them and what we need to do to secure them and what that policy needs to look like, doesn’t change just because it moves to a different place.

Tim Woods:
The same people still need to have access, the same people that we didn’t want to have access still doesn’t need to have access. Once we define it at that level and we shift our focus to those things that we’re trying to protect and then understand how we can technically enforce that, then I think that takes us to where we need to be.

Ed Moyle:
Makes sense. I do want to address a question that arose, I think from something earlier on that, Tim, I believe you said. Which was related specifically to cloud sprawl. That was you that said that I think if. And if I’m wrong, whoever did say that please feel this one. But for cloud sprawl specifically, A, what is that? And B, what, from a practical standpoint, would organizations be looking for, in order to address that problem, should it arise?

Tim Woods:
I come from a firewall background and FireMon started, we were originally just managing firewalls. That’s what we were helping people do. A heterogeneous type environment with tons of different firewalls, helping to manage that. Today, we do so much more, so much more than that. We even saw that. And so I equate that to kind of the rules in the firewalls. We see rules go in the firewalls, but the rules never go out and it’s kind of…

Tim Woods:
But in the cloud, as an analogy, I see some of the same things taking place now. I’m seeing applications and assets and things going into the cloud, but there’s no real tracking mechanism. You might be surprised to know, even on the firewall side today, people are tracking rules still with rule changes and things like that with spreadsheets and email and homegrown databases and stuff. And we have some wonderful technology out there that can assist with that, but they’re still tracking it with methodologies that don’t scale.

Tim Woods:
And so I would say here, I talk about organic growth around the cloud, is organic growth, good or bad? I’m going to say that organic growth in the cloud where people are nailing up their own services and things are going out there, if it’s not contained within a well-defined process, as I said earlier, then eventually down the road, and maybe not today, because we’re early. Some of the companies are very early organizations, very early into their cloud adoption and their cloud strategies. But if they don’t get their arms around it earlier, it’s just going to be harder to understand what you have out there and more importantly, how to secure it.

Tim Woods:
Again, I go back to what I said, you can’t secure what you don’t know about. It’s very hard to manage what you can’t see. So understanding where it is, how it’s going out there and the process that kind of mandates that. I’ll just one parting note there to this, I was at a CISO Summit up in Canada here a few months ago. I saw just two extremes of this. One where the organization was struggling with defining a process on how to control things as it was going in the cloud. It was obvious that they didn’t have a well-defined control around things going into the cloud. And they were looking for a lot of questions around that area.

Tim Woods:
And then I talked to an organization, very prominent organization that anyone here would recognize, they had an incredibly well-defined process to the extent that you could be faced with penalties, if you deployed something in the cloud, outside of the boundaries of the process. In this case, it encompassed. So they had taken early on responsibility.

Tim Woods:
Kind of like we said earlier, we had a common team that used to be responsible for anything that was deployed, how you deployed it, where you could deploy it and how it was managed. They had really taken that approach and applied it to the cloud as well. So I saw absolutely two extremes there at this particular CISO Conference, to two very well-known companies I might add as well. Again, it’s all about process.

Ed Moyle:
Okay. Great insights. We have about seven, eight minutes left in the allotted time. And I want to take the time to do this right. Which is, in the time that we have, I want to give each of you an opportunity to kind of provide the key takeaways, the key practical steps and things that folks can go back and do maybe today, maybe tomorrow, maybe the next week, whatever it is.

Ed Moyle:
Regardless of skill level, regardless of if they’re a technical practitioner or more managerially focused, what are kind of the two to three must takeaways that are the most important from the discussion and the ground that we’ve covered so far today? And maybe let’s Nathan start with you and then Tim and then Raef.

Nathan Burke:
I’ll make this concise because I put a couple of notes here as we were talking. I think there’s seven things. Know your inventory and how it changes. The second is alright, know that there’s really no such thing as shadow IT anymore. That’s dust. That term is dead. Forget it. Instead, we’ve got to understand that people have a job to do, they can find solutions, use a credit card, and now those things are part of your environment. And this can be as simple as a web app that marketing uses that ties into their Google identity or AWS instance that the dev ops spins up.

Nathan Burke:
Three is, know that everything changes and frequently. Plan for that. Four, come to terms that the tools you use for protecting your on-prem data and devices may not function the same with your cloud environments, the VA Scanner was a good example.

Nathan Burke:
Realize cloud can also mean public. It was that Showdown example. Realize that credentials can also be public. Have I been pawned is a pretty good example. Let’s see if your credentials are out there. Maybe somebody else has been trying to get in wherever they can on your cloud environments. And then the final one is, ask and answer the question, what would happen if someone gets in? And I think that speaks to the shared responsibility, but also how security differs with respect to the cloud. Those are the seven kind of takeaways I had.

Ed Moyle:
Yeah, those are really… You said seven and I got a little nervous because based on the time that we have left.

Nathan Burke:
I’m a marketing guy, I’m fast.

Ed Moyle:
Those are really very good. Great points. Tim, same question. What are the most important-

Tim Woods:
Yeah, I’m going to have to go back and rewatch that Nathan and write those down. I didn’t write them down as you were putting those out there. Those were some good ones I think to use. I think it’s face the hard reality that it’s out of the box and you’re not putting it back in the box now. Business is not going to slow down. It’s not going to back up and wait for anything. So embrace that and understand how you have to manage to that going forward.

Tim Woods:
It’s almost a developing culture. I think that the culture of an organization has to change. I’ve always said this about dev ops. I think dev ops is its own culture and the company has to change. Because again, it’s something else that’s out of the box. It’s not going backwards, it’s not going to change. Because the benefits are just too great.

Tim Woods:
And so understanding that it’s not going to change, how do I morph? How do I shift? How do I adjust in order to meet it and how do I gain parity? How does security gain parity with the speed of business? So we have to figure that out. And one other point I would make here too, on the scan, we talked a bit, Raef was talking about it and Nathan also, about vulnerability scanners.

Tim Woods:
This is just an interesting observation that I’ve made over the years, is that a lot of times we take that vulnerability scan data in, but we don’t correlate it to the right attack vectors. In other words, we have this vulnerability scan going, we know we have these existing vulnerabilities on our network, but how do we exercise that? How do we understand if a bad actor came in a well-known threat entry point, wherever that happens to be, how do I know if any of those exposed those actual vulnerabilities, that sit on my network at any given point or time?

Tim Woods:
How do I know that they can’t be accessed? And if they can be accessed, Nathan asked the question, what happens if they can access one of those and potentially exploit it? Where else can they go? So, I think marrying up your compensating controls, your security controls with that vulnerability scan data is very important too. And I think it becomes even more important as we embark on our cloud journey.

Ed Moyle:
Just one real quick follow on question to that before we get to Raef’s parting words of wisdom. And again, just briefly, you talked about getting parity between security and the speed of business, any guidance for how to do that for folks who may hear that, and just not know practically.

Tim Woods:
I’ve hesitated to use this word, because it means so many things to so many people, but I think the key is security intent. And it goes back to defining security intent around those applications, assets and resources. And once you define that security intent, and when I say security intent, I’m talking about business intent, I’m talking about compliance intent, I’m talking about security intent. Define your security intent around that application, and then look for a way to technically enforce that security intent as it relates to a global security policy.

Ed Moyle:
Fair enough. Raef, practical advice takeaways for folks?

Raef Meeuwisse:
I’ll try and keep it super concise. I saw this thing recently and whoever’s this was, it was brilliant. It said, “There’s no such thing as a cloud, it’s just somebody else’s computer.” And I thought, I know that’s a gross simplification, but actually there’s a good thought there. Which is, if you were going to go and do something really valuable on somebody else’s computer, you’d really take care over it.

Raef Meeuwisse:
And I think if you think about cloud in that way, the well-considered, well configured acquisitions can be a real asset. So those clouds are a real asset. But randomly acquired, non-secure, cloud stuff that just wandered up and it’s used, they are a threat. It’s all about structured approaches. I think Nathan said, shadow IT may be dead, but long live employee led cloud adoption.

Raef Meeuwisse:
And there’s a way to stop a cloud adoption, well, not stop it, but at least make sure it’s more controlled, which is give your employees tools they need to be able to go and source cloud solutions safely and effectively. And don’t just think by telling them they can’t do it that, that’s going to avoid it because it definitely isn’t.

Ed Moyle:
Great advice. Well thank you very much for the insights to all of Nathan, Tim, Raef, really. I thought very useful and productive conversation. Thank you to all of you who participated and submitted questions and spent your lunch hour if you’re in the Eastern US or alternative time of day if you’re not. But thank you for spending the time with us. And with that thank you for attending this webinar.

Tim Woods:
Thanks everyone.

Nathan Burke:
Thank you.

Raef Meeuwisse:
Thank you.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO