Cloud Security is NOT a Shared Responsibility – It’s Your Responsibility!
By Ginny Dudek
Taking responsibility for your enterprise’s cloud security is like riding a bike when you removed the training wheels years ago. Do not make the mistake of thinking your cloud service provider is your extra pair of support wheels, ready to partner with you in all aspects of your enterprise’s cloud security. To stay balanced and self-reliant, you need to take a thoughtful, strategic, educated approach. It is just as important to understand which security features your CSP’s platform does not support as the features it does support. Do not assume their tools are sufficient to give you control and visibility into your cloud environment.
Security matters because cyber threats are only becoming more frequent and more sophisticated. The current rule of thumb says there are only two types of organizations today. One knows when they have been hacked. The other does not know they have been hacked.
Even the cyber security providers are being hacked. Think of the huge FireEye breach, or the disturbing, highly advanced backdoor attack at SolarWinds. If there’s a hack, or a breach, or a ransomware demand, the CIO or CTO is going to ask you—the security architect or owner of your security infrastructure—what happened. Yes, the cloud service providers are doing their best. But if something goes wrong, you are the one in the line of fire. Security becomes your responsibility. It’s not a partnership with your CSP.
The cloud is real. Multi-cloud is real. It is no longer a playground where developers experiment with applications. Enterprises are moving from on-premises networks to the cloud because a cloud strategy is key to their business. It is not enough to release non-strategic cloud applications. Business strategists do not want to miss the opportunity to use the cloud to grow their business and remain competitive. In this new wave of cloud and multi-cloud adoption, a full security strategy is essential.
A recent study by Check Point Software tells a cautionary tale. Check Point planted a “honeypot” in the cloud and waited to see what happened. At the end of seven days, they logged almost four million attacks. The hackers are highly advanced and have automated their attacks. Even if your applications were born a minute ago, the hackers can identify new apps as soon as you put them on the Internet pipe and can wage an immediate attack.
Mistakes Along the Cloud Journey
The cloud is still new, and enterprises make mistakes. First, enterprises avoided the cloud, thinking it was not secure. Then their developers experimented with small, non-production applications and did not pay as much attention to security. But as enterprises look for ways to move from on-premises networks to the cloud, they do not realize that their CSP’s native cloud constructs do not give them much security control or the visibility they need from a security compliance perspective. This means it is not enough to adopt the CSPs’ cloud native constructs, such as default security groups or open source NZTA tools.
When enterprises begin the migration from on-premises to the cloud, they often do not think about cloud security holistically. Instead, they must take an architectural approach as part of their overall security posture. Cloud security cannot be an afterthought. It should be right up front. The push to move from on-premises networks to the cloud demands speed and agility. But if an enterprise is too willing to think their CSP’s security features are adequate and does not want anything to slow down their migration to the cloud, they are not prepared for the security consequences.
Another mistake is when enterprises forget to protect applications under development and only protect production and pre-production applications. This is how the SolarWinds hackers succeeded. They started building or injecting their malicious code during their target’s development process. If SolarWinds had installed security controls in their development environment, the attack could have been stopped right there.
App developers who do not prepare a cloud security strategy also will not be ready when top-level management pressures them to deliver cloud apps. Without a cloud security strategy, enterprises do not just lose getting an app into production. They lose agility, time, and money. This causes a lot of enterprises, especially large organizations, to take longer to get into the cloud because they are giving security a lot more consideration. They ask themselves: How can we secure our pipeline for all our apps? How can we secure our on-prem pipelines? Simple things like security groups and access, who gets what at what level of access. It takes a long time to figure it out and get it right. But the alternative is not pretty. Before you are ready to fly into the cloud, security and the network must go hand in hand. Your base network infrastructure architecture must be 100 percent right from day one.
Another mistake is that enterprises risk having their projects halted by a network audit when they do not use adequate security measures. The auditor can shut down a project if it does not meet security standards, putting the enterprise months or even years behind release of a strategic application. Enterprises must keep next-generation firewall inspection in mind. They may think that if they are working in a normal production environment, security controls are expensive and are not needed, or that security controls will complicate their architecture, and they will save it for their production workloads.
The Right Approach to Cloud Security
The challenges go beyond accepting that cloud security is the enterprise’s responsibility. Organizations want to simultaneously embrace what is already in their network and bolster it at the same time so they can use the cloud to improve and grow their business. This means establishing a cloud security strategy that does not take shortcuts but that also does not impact time-to-market for cloud applications.
One dilemma is that there is a cloud security skills gap, which might tempt enterprises to take shortcuts. To help customers lower the security skills gap in a multi-cloud world, Aviatrix offers the ACE Multi-Cloud Network Training and Certification program. The courses consist of a self-paced online Associate training and the Professional and Cloud Operations courses, which are led by a live instructor online.
Yet the skills gap is not an excuse for only relying on the CSP’s cloud native constructs, because it does not give enterprises enough visibility into the network or the right tools for setting up and responding to security alerts. It’s like relying on a black box. You cannot peek inside. How can you protect something you can’t see?
Enterprises anywhere on their cloud journey must change their mindset and take a layered, matrix-type approach to cloud security. Automation of security monitoring is also important, because a lot of security errors are caused by human errors. Aviatrix mitigates the effects of human error by automating some of these processes. We know exactly what the pain points are and where the security gaps are, and how to address them. We have a layered security model for network architecture that is helping a lot of enterprises in a lot of industries, all on one platform, which makes life easier. Aviatrix gives you all the built-in knobs you need to have that foundational security in your cloud while not losing agility.
Once you decide to take responsibility for your enterprise’s cloud security, start to think about security everywhere. Security must reach into every aspect of your organization. Let your CEO, CIO, and network architect know that even if you are deploying a simple transit, it must be secure and encrypted properly. This applies to any service and any application reaching all the way to the perimeter of your network. Visibility is extremely important. You need to be able to tap into enterprise data, to have eyes and ears that can detect anomalies and let you take actions based on alerts. This is where Aviatrix CoPilot provides extremely powerful multi-cloud transit visibility for networks.
Aviatrix understands both the challenges and the potential of the cloud. We have helped hundreds of enterprises build visibility into their cloud networks so that like an unnecessary set of training wheels, cloud security will not hold them back.
Ginny Dudek adapted this article from an Aviatrix podcast discussion on security. She is a Technical Writer in the Technical Marketing team at Aviatrix.