BIZTECH: How sophisticated are organizations about cloud security? How much progress has been made?
REAVIS: There are different ways you can think about whether organizations have been able to gain enough of that sophistication. One metric is that we have a big gap in the cybersecurity workforce, with anywhere from 3 million to 6 million jobs open. A lot of that is cloud, so there is a skills gap that’s very concerning.
With cloud being kind of the default IT, the sophistication has grown quite a bit, but we still have a sizable skills gap, and there are a lot of people who’ve been trained in the legacy moat-and-castle network views of security. We need to get them to understand more of the identity and application orientation of security in the cloud. There’s work to do, but we’ve made big strides.
BIZTECH: Is it getting easier or harder for organizations to secure their cloud environments?
REAVIS: Today, there’s a wealth of knowledge and maturity about cloud that certainly makes doing a lot of the tasks much easier. When it comes to how you set up your environment, do filtering and access control, deny and grant permissions, how you can lock down virtual machines, and more, we now have so many templates, scripts and tools to automate a lot of that.
However, there’s also more dynamism today, which can make it harder. In the old days, we’d say we’re going to upgrade this version of the software a couple of times a year, but now you see changes and updates on a continuous basis and several times a day. That dynamic nature and pushing the envelope — that makes it harder. Also, if you’re an organization that’s half on-premises and half in the cloud, it can be quite a challenge to manage that complexity. That’s going to push organizations to modernize and be more holistically in the cloud.
Overall, though, when you compare apples to apples on the types of things we were struggling with before, it’s so much easier to do a lot of those things and to automate them.
BIZTECH: One common challenge businesses struggle with is misconfiguration. Is that still the case?
REAVIS: You hate to point fingers, but it’s a pretty simple — and big — finger to point at the cloud customer or the cloud tenant. About 95 percent of the security issues that happen in cloud are things under customers’ control, and configuration is a big one.
Another big one is credentials management. Who has access to different things? How do we think about that architecture? What do they have access to, and how are we segmenting things?
BIZTECH: Are there any emerging cloud security threats you are particularly concerned about?
REAVIS: Certainly ransomware. Ransomware has spanned across cloud, endpoint, noncloud — all sorts of things. That certainly is of concern as it gets more sophisticated. You hear about, for example, organizations that have their cloud-based production systems as well as their backup archival systems managed by the same set of administrator credentials, and that’s a recipe for disaster. An attacker can not only encrypt and disrupt production systems but also wipe out backups at the same time.
The cloud providers do a really good job of segmentation, but you can never say never about those sorts of things.
We also have to think about insider threats, especially in larger organizations. There’s also extortionware, where it’s not just about keeping your information encrypted in suspended animation but leaking it or holding a company’s operational status hostage. We’re very concerned about those things.