Jakub Jirsák - stock.adobe.com

Fresh approach needed to reap cloud security benefits

Transitioning to cloud-based services offers businesses an opportunity to improve security capabilities, but only if they adopt a proactive cloud-native approach, says Palo Alto Networks cloud security expert

Enabling organisations to reap the security benefits of moving to cloud-based services typically requires IT teams to undergo some education, according to Varun Badhwar, senior vice-president for products and engineering, public cloud security, at Palo Alto Networks.  

“Security teams are often overworked, understaffed and underfunded. The first thing they are trying to do is react to the business’s move to the cloud, and the way they are reacting is seeing what from their existing armoury of tools they can utilise to solve the problem,” he told Computer Weekly.

UK government statistics published in the Cyber security breaches survey 2019 show that 60% of businesses and 49% of charities – from more than 2,000 organisations polled – are using externally hosted web services to host websites or email, or transfer or store data.

Cloud usage is the highest among medium-sized firms (71%), followed by small firms (63%), large firms (62%) and micro-enterprises (59%).

In many cases, Badhwar said cloud had hit security teams faster than they had anticipated and at a larger scale than they were prepared for. “In short, they are reacting to the change rather than being proactively prepared for this velocity of change,” he said.

This reaction comes in the form of looking at what existing architectures they can apply in the cloud or what out-of-the-box cloud products are available, both of which are “dangerous options”, he warned.

Repeating previous mistakes

According to Badhwar, this repurposing means that instead of capitalising on the move to cloud, security teams tend to make mistakes similar to those they have made in the past and have similar architecture silos of products that are not very effective in the cloud.

“Using non-cloud-native [tools and applications] means you are binding yourself to be very specific to a single cloud, and a few months later you are going to find your developers moving into multiple clouds and it won’t provide the holistic solution capabilities that you need long term,” he said.

“It is a long educational process and hopefully we are helping customers understand the opportunity to be proactive, to think from a developer mindset, to think automation and to think in a more cloud-native fashion.”

While “cloud-first” companies that are committing to build any future systems and business models in the cloud are also struggling with the same challenges of trying to repurpose legacy assets from a security point of view, Badhwar said it was easier for born-in-the-cloud companies such as Uber, Lyft and Airbnb to make the right security investments from the start because they never had traditional datacentres and associated tools.

However, he pointed out that a potential pitfall for those organisations was that they typically have a “build everything” mindset and assume they can build their own security tools.

“Often, they go down that path before recognising that solving security problems is difficult, and that it can’t be built by a couple of part-time developers because it really takes a lot of subject matter expertise, a lot of data and experience to build the right technologies.”

A window into cloud

For IT security organisations which find themselves suddenly having to secure operations in the cloud because that is where the business has taken things, Badhwar said the most important challenge was to establish visibility of everything going on in the cloud.

“You can’t secure what you can’t see, so start with visibility. Solve the visibility challenge to enable you to have an informed conversation with your development teams [so you know what] they are doing in the cloud, what they have in the cloud and how they got into the cloud,” he said.

“The reason most organisations are already multicloud is because developers are picking the best-of-breed platforms – so it is a developer-led initiative rather than a CIO-led initiative”
Varun Badhwar, Palo Alto Networks

“Visibility allows you to understand exactly the kinds of problems you will expect to see in the cloud, and helps to educate your developers, SOC [security operations centre] teams and analysts on how to respond to the kinds of issues you expect to see arising in these environments.

“You can then talk about measuring the current security posture in the cloud and then about the controls that need to be put in over time to get to a level of maturity that your organisation is most comfortable with.”

Achieving visibility in the cloud is not without its challenges, however. Not all organisations are getting to cloud through CIO-led digital transformation initiatives. In many cases, the developers are going to the cloud before there is any transformation programme.

“The reason most organisations are already multicloud is because developers are picking the best-of-breed platforms – so it is a developer-led initiative rather than a CIO-led initiative,” said Badhwar.

“Within every organisation, each development team is deciding what services in the cloud to use, be it containers, serverless functions or VMs [virtual machines]. And they are all managing and administering their own environments individually. It is a difficult problem to tackle,” he said.

Tracking actions in the cloud

In terms of visibility, Badhwar said the first action should be to rationalise what is being used across the organisation and across various lines of business.

“This is where the power of something like Palo Alto Networks components coming together is so valuable. Assuming you are a customer using next-gen firewalls, we are seeing all your ingress and egress traffic. We know exactly where the users and their traffic are going,” he said.

“We know the account IDs of the different AWS [Amazon Web Services] or [Microsoft] Azure accounts that are traversing the firewall, so we can easily figure out the list of 50 environments in the cloud we have seen. Alternatively, there is the ‘old school’ way of talking to the cloud provider and asking for a full list of accounts associated with your organisation.

“We have also seen organisations go through their billing and expense management systems to track down what services are being used and by whom. So you can go very manual or very automated.”

However, Badhwar said it was one thing to understand what is in the cloud, but it could be just as challenging to track changes in the cloud, with developers typically spinning up and tearing down many different things in the cloud in just a few hours.

“Keeping a historical record of that is valuable from an auditability standpoint, but also from an investigation/incident response standpoint, because if I receive a call today saying we have a compromise in the cloud, I want to know what changed over the past three weeks,” he said.

After tackling the visibility and change tracking challenges, Badhwar said the next thing to look at was compliance. “If you don’t have [General Data Protection Regulation] GDPR controls in place, you are not going to the cloud. Compliance can become a blocker, so that is an important issue to tackle very quickly.”

The ‘what’ and ‘how’ of cloud security

As organisations mature over time, Badhwar said organisations typically start building more into the development pipeline, moving towards things like automated remediation and threat detection.

A key part of this maturation process is realising that cloud security is not exactly the same as traditional security. “The ‘what’ you need to solve in the cloud is the same: you are still responsible for network security, patch management, vulnerabilities, and users and their credentials.

“But the ‘how’ is different. Organisations that are in phase one of cloud migration – usually a ‘lift and shift’ phase – which is about moving existing applications from VMs running on-premise to VMs running in AWS or Azure, do not experience much of a culture shock.

“The ‘what’ you need to solve in the cloud is the same: you are still responsible for network security, patch management, vulnerabilities, and users and their credentials. But the ‘how’ is different”
Varun Badhwar, Palo Alto Networks

“However, they soon realise that they have moved to the cloud to gain efficiencies of speed and cost, which forces them to think about re-architecting their applications to be more cloud native. That is when they start feeling the pain of their existing tooling from the on-premise they brought over in the lift and shift process not carrying forward.

“As soon as you make applications cloud-native, your IP addresses are changing every hour and your users have access to the vast majority of services. And that is where the ‘how’ of cloud security is different. The tooling changes, the methodology changes and the level of automation changes,” he said.

At the highest level, being proactive about unknown threats in the cloud starts with the high degree of effort that cloud providers are making in helping customers understand the shared responsibility model so that it is clear what is the responsibility of the provider and what is the responsibility of the customer.

“The data shows clearly that cloud-related breaches are predominantly the fault of cloud users who are faltering on their part of the shared responsibility model. To remediate this, there is a lot of work that can be done around sharing architecture blueprints, for example,” he said.

While there is still work to be done, Badhwar said there were some good open source tools, such as Security Monkey from Netflix and Capital One’s Cloud Custodian.

“It was refreshing to see a financial services company like Capital One start open sourcing methodologies and tools, which is a big change. So it is a combined effort: industry suppliers that have experience, cloud providers and the media,” he said.

Understanding cloud at scale

Commenting on the UK market, Badhwar said that only a couple of years ago, the only cloud being talked about was AWS. “What has been fascinating in the past 24 months is seeing how quickly Azure has gained prominence in the UK, as well as Google Cloud.

“We are starting to see the UK become multicloud. But that said, most security teams still have a basic understanding of cloud. They are trying to adapt quickly to cloud and cloud security, and they are trying to rationalise what they bring along from their traditional datacentres for security and what they build,” he said.

“I would say that is the nature of where the global market is from a cloud adoption standpoint, but I think the UK has a lot of catching up to do on understanding the kind of capabilities required to scale up the cloud and support the scale of cloud that most organisations are now embracing.

“What I have been most impressed with is that UK financial services seem to be ahead even of what we are seeing in North America from a cloud adoption standpoint. I think the financial services firms here have embraced cloud ahead of some of the key US financials.”

And where the UK financial sector is leading, Badhwar believes other sectors will follow.

“I think a lot folks were waiting to see what regulations like the EU’s GDPR [General Data Protection Regulation] mean for cloud platforms, but cloud providers have done a good job of embracing those and proving much more globalisation of their datacentres,” he said.

“Cloud providers are supporting many more regions in Europe, leaving no excuse for organisations not to embrace cloud. Every organisation we talk to has completed or is in the midst of a cloud transformation.”

Establish and stick to security guardrails

If organisations moving to the cloud do nothing else from a security point of view, Badhwar said they should ensure they establish security guardrails as soon as possible.

“There are many stakeholders involved in cloud deployments, with many of them being third parties to help with the migration process, but if you don’t govern what they are doing in the cloud, you could find that you have incurred a lot of security debt because the people who built your environments didn’t build them the way you anticipated they would,” he said.

Fixing this after everyone has gone is difficult, said Badhwar. “But if you put the guardrails in early, don’t let your developers deviate, and pay for security tools the same way you do for cloud, there is no heavy investment up front to get the right security visibility and tooling in place. So do it early, rather than later.”

Moving to the cloud is an opportunity to improve security, he said, because it gives organisations a fresh start.

“Where most CISOs [chief information security officers] are dealing with decisions made by their predecessors in most of these organisations and dealing with tooling that is very hard to deploy and they are nervous to even refresh, the cloud providers have given us a model to build security products very seamlessly.

“So the way we build RedLock, for example, is all APIs [application programming interfaces], so that means rapid time to value and operationalise for customers, but it also means that if we are not servicing your needs 12 months from now you are probably not going to continue to renew with us.

“So it challenges us not to rest on our laurels because we have already sold you something this is going to be tremendously hard for you to replace. It keeps us on our toes because it gives customers the opportunity to continually assess the market as it matures to see what’s out there and, more importantly, give them an easy button if they feel they need something different or to go down a different path.

“Cloud is providing an advantage in terms of starting fresh and ensuring vendors stay honest to their mission of providing the best [security] controls and technology,” said Badhwar.

Read more about cloud security

Read more on Hackers and cybercrime prevention

Data Center
Data Management