The challenges facing chief information security officers (CISOs) have evolved dramatically in the past decade. Today, they must align their security efforts — and budgets — with the business goals of their organization, which may range from maintaining customer confidence that their data is safe to protecting intellectual property from theft.
As a key member of the executive management team, CISOs often have board-level reporting responsibilities. They must manage a new and daunting level of technical complexity introduced by the cloud, where identities are virtually the first and last line of defense. And the job doesn’t end there. To be successful, they must also put substantial effort into building a team with skills in a variety of disciplines, and choosing the right defensive technologies.
The Technical Challenge
The transition to remote or hybrid work models combined with accelerated cloud adoption has greatly expanded the attack surface CISOs must protect. Furthermore, they often have to deal with more than one cloud. The major providers — Amazon Web Services, Azure, and Google Cloud Platform — all have slightly different structures, procedures, requirements, and so on, all of which further increase the complexity of managing these sprawling architectures.
Data-center-oriented companies that have transitioned to the cloud obviously face a new set of security concerns that conventional firewalls were never designed to handle. Hence, the now commonly heard refrain “Identity is the new perimeter.” This is certainly true. While firewalls and other network-based controls shouldn’t be abandoned, CISOs need to focus on identity issues. The following three-step process can deliver results in this area quickly and efficiently.
- Rein in excess privileges. During a migration to the cloud, global privileges are often granted to everyone on the transition team. It’s best to avoid this, but if it happens, privileges should be reviewed and limited after the transition. One good way to do this is to monitor which resources are being accessed by which individuals. If an individual isn’t accessing a particular resource, the right to do so should be revoked.
Correlate excess privileges and misconfigurations. Cloud misconfigurations are another serious risk. But when a privileged identity has access to a misconfigured cloud resource, the results can be disastrous. Fortunately, automated tools are now available to help detect misconfigurations, as well as excessive privileges, and remediate them to eliminate threats.
- Prioritize. There is never enough time or enough staff to correct every misconfiguration, so it’s important to focus on those that are the greatest source of security risk. For example, remediating identity-based access threats to cloud storage buckets is critical for preventing data breaches. Monitoring for configuration errors that expose data through excessive, default, etc., permissions should be a top priority.
The Human Challenge
Securing cloud infrastructure demands unique skills, and finding qualified individuals to do the work is one of CISOs’ biggest challenges. There are three key areas of competency that every cloud security team should possess:
- Architectural competence. To assess an organization’s security posture and create a road map for maturing it over time, security teams require a reference model. The CSA framework is an excellent resource, and there are several others available. Without a clear understanding of architectural concepts presented in industry standard security frameworks like CSA, it’s difficult to reduce the cloud attack surface and easy to overlook blind spots.
Cloud engineering. The security team also needs to handle the day-to-day requirements of cloud security, which may include management, maintenance, and more. Competent cloud engineering is essential for “keeping the lights on” in the security sphere.
Reactive capabilities. Globally, cyberattacks occur at the rate of 30,000 per day. Every enterprise can expect incidents to occur on a regular basis, and security teams need specialists who can react quickly to limit — if not prevent — serious consequences.
The ideal makeup of a cloud security team spans network, cloud, and development specialists who can work collaboratively. The task of building a team with these capabilities is complicated by the fact that there is a shortage of 3.4 million cybersecurity workers at the moment.
One approach that works well as a supplement to hiring is development from within through training. This may occur in-house or through third-party certification programs. Also, in choosing vendors, organizations should favor those whose offerings include a strong training component. If possible, CISOs may find ways to get non-security employees to work on some security tasks.
Once assembled, one of the problems that any security team will encounter is dealing with multi-cloud architectures, which are becoming the norm. Very few individuals are familiar with the tools, nomenclature, and security model of all three major cloud platforms. For this reason, many companies are turning to cloud native technologies that understand the nuances associated with securing different cloud platforms and simplify security tasks for users that may lack specialized training in AWS, Azure, GCP, etc.
To sum up, the challenges facing today’s CISOs are largely driven by the cloud, which creates a greatly expanded attack surface that needs to be protected. Meanwhile, mastering the management model and tools used by each cloud platform requires security expertise that is in extremely short supply. Solutions are available that provide the visibility and platform knowledge needed to help security teams implement best practices for protecting their cloud infrastructure, while helping them up-skill analysts in the process.