Oct 29 2021

Q&A: As Businesses Accelerate Cloud Migrations, What Is the State of Security?

There’s been a lot of progress, but there’s still much more to do, says Cloud Security Alliance CEO Jim Reavis.

Businesses have embraced cloud computing in a big way: According to a recent survey, 69 percent of IT leaders say at least 60 percent of their organizations’ infrastructure will be in the cloud within two years. IT leaders who were once held back from the cloud by security concerns have come to realize that their own policies, misconfigurations and poor security planning — and not their cloud platforms — are responsible for any vulnerabilities in their environments.

How much progress have businesses made on cloud security, and what are the key vulnerabilities leaders should worry about today? In a conversation with BizTech, Cloud Security Alliance Co-Founder and CEO Jim Reavis answered those questions and more.

BIZTECH: IT leaders have traditionally worried most about security when it comes to the cloud? Is that still true?

REAVIS: It’s certainly evolved. With any new technology, there always is a lot of concern about how secure it is. In the early days, as people were piloting this, there were lot of questions and there were definitely gaps — like cloud providers not providing good enough log files, for example.

The bigger question was compliance: We can make our systems secure, but how do we communicate that to regulators and auditors? That ended up being a bigger issue. Today, we’ve seen the trend of cloud becoming the default IT system for a few years, and certainly the pandemic made that a moot point. People went very robustly into the cloud.

Click the banner below to dig deeper into cloud security guidance from CDW.

BIZTECH: How sophisticated are organizations about cloud security? How much progress has been made?

REAVIS: There are different ways you can think about whether organizations have been able to gain enough of that sophistication. One metric is that we have a big gap in the cybersecurity workforce, with anywhere from 3 million to 6 million jobs open. A lot of that is cloud, so there is a skills gap that’s very concerning.

With cloud being kind of the default IT, the sophistication has grown quite a bit, but we still have a sizable skills gap, and there are a lot of people who’ve been trained in the legacy moat-and-castle network views of security. We need to get them to understand more of the identity and application orientation of security in the cloud. There’s work to do, but we’ve made big strides.

BIZTECH: Is it getting easier or harder for organizations to secure their cloud environments?

REAVIS: Today, there’s a wealth of knowledge and maturity about cloud that certainly makes doing a lot of the tasks much easier. When it comes to how you set up your environment, do filtering and access control, deny and grant permissions, how you can lock down virtual machines, and more, we now have so many templates, scripts and tools to automate a lot of that.

However, there’s also more dynamism today, which can make it harder. In the old days, we’d say we’re going to upgrade this version of the software a couple of times a year, but now you see changes and updates on a continuous basis and several times a day. That dynamic nature and pushing the envelope — that makes it harder. Also, if you’re an organization that’s half on-premises and half in the cloud, it can be quite a challenge to manage that complexity. That’s going to push organizations to modernize and be more holistically in the cloud.

Overall, though, when you compare apples to apples on the types of things we were struggling with before, it’s so much easier to do a lot of those things and to automate them.

MORE CLOUD SECURITY: Explore best practices for cloud security posture management.

BIZTECH: One common challenge businesses struggle with is misconfiguration. Is that still the case?

REAVIS: You hate to point fingers, but it’s a pretty simple — and big — finger to point at the cloud customer or the cloud tenant. About 95 percent of the security issues that happen in cloud are things under customers’ control, and configuration is a big one.

Another big one is credentials management. Who has access to different things? How do we think about that architecture? What do they have access to, and how are we segmenting things?

Not having good multifactor authentication or good identity management configuration is a problem, and those things are well within the control of a typical cloud customer to do right.

BIZTECH: Are there any emerging cloud security threats you are particularly concerned about?

REAVIS: Certainly ransomware. Ransomware has spanned across cloud, endpoint, noncloud — all sorts of things. That certainly is of concern as it gets more sophisticated. You hear about, for example, organizations that have their cloud-based production systems as well as their backup archival systems managed by the same set of administrator credentials, and that’s a recipe for disaster. An attacker can not only encrypt and disrupt production systems but also wipe out backups at the same time.

The cloud providers do a really good job of segmentation, but you can never say never about those sorts of things.

We also have to think about insider threats, especially in larger organizations. There’s also extortionware, where it’s not just about keeping your information encrypted in suspended animation but leaking it or holding a company’s operational status hostage. We’re very concerned about those things.

BIZTECH: What emerging solutions are you seeing to combat some of these threats?

REAVIS: There’s a buzzword that I’m sure all your readers have heard time and again, which is zero trust. Zero trust is not a new concept, this idea that the perimeter is dead and we need to have a lot more focus on identity. That’s one evolution that we’re having: The security technologies today are more identity aware.

We are also seeing a lot more focus on cloud vulnerability management and cloud security posture management, event management, as well some advanced endpoint management solutions such as XDR. You’re seeing a lot more automation that’s allowing you to continually monitor your cloud environment.

There are some great solutions, and zero trust influences a lot of that. It’s about saying, “Everything — people, devices, data stores, virtual machines — it all needs to have an identity, and then we can provide access based on that.”

BIZTECH: Is there anything you think is missing from the conversation around cloud security?

REAVIS: I think we still struggle with our communications to our boards of directors and our C-suites outside of the CISOs. We really need to have a mutual dialogue about the ROI of cloud, and how cloud combined with cybersecurity really is a business enabler, because it still too often is seen as just overhead and a cost of doing business and compliance. If you can put compute anywhere you want at any time, very rapidly, and you can trust it because you have the right security in place, that really opens up the possibility to a lot of new business products and models. That’s the area I think we’re really missing a lot.