How important is cloud security? According to a survey of over 2,100 organizations cited in a recent Gartner report (“How to Develop Infrastructure-as-a-Service Security Skills,” 22 February 2018), the category of security and risk management represented the third-largest talent gap in IT, this includes a cloud security professional.
That’s a big deal for those of us living in a cloud-native world. Let’s take a look at the risks and discuss strategies for addressing them, based on Gartner’s analysis.
Falling Behind Is Dangerous
Perhaps most significantly, the spread between organizations rated as overall trailing performers and those rated as leading performers was greater for the security talent gap than for any other category, according to Gartner. Trailing performers in traditional, network-based security are likely to have an even greater talent gap when it comes to cloud-based security, placing them at risk of catastrophic security failures when they move into the cloud. Even top cloud security professionals and traditional security performers, however, may find themselves unprepared for the security challenges presented by cloud deployment.
What are these challenges, and how can cloud security professional meet them? In this post, we’ll look at some of the key cloud security issues, and at the skills and knowledge that will help you tackle them.
1. Understand the Division of Responsibility of a Cloud Security Professional
To a considerable degree, there is a natural division of responsibility between CSPs (cloud service providers) and clients when it comes to security. The CSP necessarily controls the entire physical infrastructure, as well as the layers of abstraction between the physical infrastructure and the cloud services used by the client. Clients only have control of the resources within the scope of services which they have leased.
If you are used to dealing with on-premises security, this may require some major shifts both in terms of habits of thought and at the conceptual level.
2. Trusting Your CSP
You need to be ready to psychologically cede control of hardware and lower-level infrastructure security to the CSP, trusting them to do an adequate job, simply because there isn’t anything else you can do. You can and should, however, develop at least a general understanding of their security policies and practices, as well as their track record in providing security. If you are now in the position of being a customer, you can still be an informed customer.
3. Knowing Your Responsibilities
As a cloud security professional, you need to have a clear and complete picture of those aspects of cloud security which you can control, because they are your responsibility as a cloud client. This includes virtually all of the traditional software-based security issues, such as authentication, access control, and intrusion, monitoring, detection, and response at the application and virtualized infrastructure level. The best basic rule to follow is that if you deploy it, you are responsible for its security, and if you connect to a resource, you are responsible for all security associated with your end of that connection.
4. Understand Cloud Infrastructure Security
Your CSP may be responsible for security at the hardware and lower infrastructure levels, but your responsibility begins at the points where your application and virtualized infrastructure meet the cloud. This means that you need to have a full understanding of the potential security problems of any virtual machines or container deployment systems which are included in your deployment, including hypervisor and host OS vulnerabilities.
It also means that you need to be aware of any potential vulnerabilities involving cloud APIs (which operate above the levels of infrastructure where the CSP has sole control and responsibility). In a full-featured cloud platform, you are likely to make extensive use of the services provided by that platform. Every API call to a cloud-based service is a potential point of entry for intruders into your system, in the same way that any user interaction presents a risk of intrusion.
5. Create a Cloud Security Toolkit
Once you understand the security issues and vulnerabilities associated with your organization’s cloud deployment, you can develop a set of cloud-specific security tools for your software development team to use. It can include rules, authentication services, and encrypted resources.
Your testing regime can also include cloud security tests, comprising a set of virtualized APIs, in order to test the application’s malicious payloads and malformed data. You can also test for the correct use of preconfigured security tools and libraries. The overall goal should be that secure code is deployed by default.
6. Know When to Outsource Security
This cannot be emphasized enough. Everything that we’ve been talking about so far really falls under the heading of basic best practices, but even the basics can have a sometimes steep learning curve. The most effective way to move beyond the basics is often by engaging the services of specialists, and cloud security is no exception.
This is particularly true of container security; container deployment is a complex process involving a very large number of rapidly appearing and disappearing container instances which cannot be easily tracked. Container management and service discovery themselves require highly specialized services; working with a container security provider allows you to offload the even more complex tasks involved in container security and concentrate on the cloud security issues which are specific to your application.
7. Take Responsibility for Cloud Security in Your Organization
Become an advocate. Be the voice in your company for cloud security. Explain why it is important, how it works, and how your DevOps team can incorporate security into every aspect of your continuous delivery chain. Provide information and resources, and present ready-to-put-in-practice plans for implementing cloud security. Look for ways to bring reluctant or skeptical team members on board.
And look ahead. As your team incorporates more cloud security best practices into the continuous delivery pipeline, DevOps as practiced by your organization will naturally metamorphose into DevSecOps—DevOps with security built in at the level of design. When this happens, you and the rest of your DevOps team will have become not just practitioners, but leaders in the cloud security professional realm.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...
Why DevSecOps is No Longer Optional
DevSecOps has been a hot topic within tech conversations for a few yea...
Better Together: Announcing The Twistlock Advantage Program
It’s been about three years since we exited stealth with the first g...
My Security Toolset Today Vs 10 Years Ago
It can be easy to forget how sophisticated IT security tools are today...
How to crash the Linux Kernel with a CDROM interaction – CVE-2018-11506
I’ve recently discovered and reported a buffer overflow vulnerabilit...