Get the Newsletter

How Security Practitioners Should Think About and Approach Double Layered Cloud Security



In this episode of Audience 1st Podcast, Avishai Wool, CTO of AlgoSec and Joshua Copeland, Director of Managed Security Services at Quadrant Information Security and professor at Tulane University, join host, Dani Woolf, to discuss the complexities of cloud security and the challenges practitioners face when migrating to the cloud. They delve into the shift towards cloud-based infrastructure and the unique security human-centric, business, and technical considerations that come with it. Avishai and Josh highlight the significance of understanding the interconnected nature of cloud and on-premise environments and provide practical steps to approaching a comprehensive, double layered approach to cloud security.

Guests at a Glance:

Avishai Wool: Avishai Wool is Algosec's CTO and co-founder with over 20 years of experience in network security. He has been working in this field for several years and continues to find it exciting due to the constant evolution of technology in the industry.

Joshua Copeland: Joshua Copeland currently works as a CISO and adjunct professor at a prestigious university, specializing in cybersecurity. His passion for cybersecurity stems from the dynamic and ever-evolving nature of the field, keeping him mentally engaged and challenged.

Understanding the New Landscape

As organizations increasingly migrate to the cloud, the landscape of cybersecurity has undergone a seismic shift. 

This evolution brings both great opportunities yet complex challenges that demand a reimagining of traditional security paradigms.

Avishai Wool, a veteran in the field, eloquently captures the essence of this transformation: "When you move to the cloud, the set of things that potentially can help protect you is a lot bigger, like orders of magnitude, more stuff to think about than what you used to do in the past." 

This expansion of protective measures is both a blessing and a curse – offering enhanced security capabilities but also requiring a more sophisticated and nuanced approach to implementation.

The cloud introduces a level of complexity that can be overwhelming. 

Unlike traditional on-premise setups where security perimeters were clearly defined, cloud infrastructures are fluid, dynamic, and potentially accessible from anywhere in the world. 

This paradigm shift necessitates a complete overhaul of security strategies and mindsets. 

Continuous Change and Adaptation: The New Normal

Both Avishai and Joshua emphasize the relentless pace of change in the cybersecurity space. As Josh puts it, "It's one of those things that keeps me actively engaged mentally. So, I love cybersecurity." This constant evolution is driven by several factors:

  • Technological Advancements: Cloud service providers continuously roll out new features and services, each potentially introducing new security considerations.
  • Regulatory Changes: The legal landscape surrounding data protection and privacy is in constant flux, with regulations like SEC’s cybersecurity disclosure rules, Digital Operational Resilience Act (DORA), and industry-specific mandates regularly updated.
  • Evolving Threat Landscape: Cybercriminals are constantly innovating, developing new attack vectors and exploiting emerging vulnerabilities.
  • Business Transformation: As organizations digitize more aspects of their operations, the scope and nature of what needs to be secured are always expanding.

This environment of perpetual change demands that security professionals adopt a mindset of continuous learning and adaptation. 

It's no longer sufficient to implement a security solution and consider the job done; instead, cloud security requires ongoing vigilance, regular reassessment, and agile response to new challenges.

Cloud Security Challenges

Visibility and Control

One of the most significant cloud security challenges is maintaining comprehensive visibility and control over assets. 

Josh articulates this challenge succinctly: "Particularly with cloud environments, it's just truly understanding what you have, what all interacts with it, and how are you going to protect that."

This lack of visibility stems from several factors:

  • Dynamic Resource Allocation: Cloud resources can be spun up and down rapidly, often without centralized oversight.
  • Shadow IT: Employees can easily provision cloud services without IT department involvement.
  • Multi-Cloud Environments: Many organizations use multiple cloud providers, each with its own set of tools and dashboards.
  • Complex Interactions: Cloud services often interact in complex ways, making it difficult to understand data flows and access patterns.

To address this, organizations need to invest in robust asset management and discovery tools, implement strict governance policies, and foster a culture of security awareness across all departments.

The Configuration Conundrum

Avishai highlights another critical challenge: the complexity of securely configuring cloud environments. 

He notes, "When you power up something, it could be an S3 or a security group in AWS... by default, that thing's not protecting you or not properly because the vendor wants to make sure it works for you."

This default toward functionality over security is a double-edged sword. 

While it allows for rapid deployment and experimentation, it also creates significant security risks if not properly managed. 

Organizations must strike a balance between enabling agility and maintaining security, which requires:

  • Comprehensive Configuration Management: Implementing tools and processes to ensure all cloud resources are configured according to security best practices.
  • Automated Compliance Checks: Regularly scanning configurations against industry standards and internal policies.
  • Least Privilege Principle: Ensuring that all resources and users have only the minimum necessary permissions.
  • Continuous Monitoring: Implementing real-time alerts for any configuration changes that could introduce vulnerabilities.

Strategic Approaches to Cloud Security: Building a Robust Foundation

Cloud Security Posture Management (CSPM): The First Line of Defense

Avishai suggests using CSPM tools as a foundational step in securing cloud environments. He states, "Your absolute basic fundamental thing is, you know, what's called the cloud security posture management system (CSPM) that helps you understand the, you know, that your team, at least checking all the basic boxes."

CSPM tools provide several critical functions:

  • Continuous Assessment: Automatically scanning for cloud misconfigurations and compliance violations.
  • Risk Visualization: Providing a comprehensive view of the organization's cloud security posture.
  • Automated Remediation: Offering capabilities to automatically fix common misconfigurations.
  • Compliance Mapping: Aligning cloud configurations with regulatory requirements and industry standards.

By implementing a robust CSPM solution, organizations can establish a strong baseline for their cloud security efforts and gain the visibility needed to make informed security decisions.

Iterative and Incremental Improvements: The Path to Maturity

Josh advises against making sweeping changes all at once, advocating instead for a more measured approach: "You have to be very surgical... not go too big too fast and try to fix everything. You gotta be incremental in it because you are in a Brownfield and it's running an operation and you don't want to inadvertently, you know, crash your company."

This iterative approach to cloud security offers several advantages:

  • Risk Mitigation: By making smaller, targeted changes, organizations can minimize the risk of disrupting critical business operations.
  • Learning Opportunities: Each incremental improvement provides insights that can inform future security efforts.
  • Flexibility: An iterative approach allows for easier course correction as the threat landscape evolves.
  • Stakeholder Buy-In: Gradual improvements are often easier to justify and implement from a business perspective.

Organizations should develop a prioritized roadmap for cloud security improvements, focusing first on high-risk areas and quick wins before moving on to more complex, long-term initiatives.

The Role of Networking in Cloud Security: Bridging the Gap

Network Security in Hybrid Environments

Avishai underscores the importance of securing connections between cloud and on-premise environments: "You need some kind of hybrid visibility into the networking part so that you see the whole picture." 

This emphasis on networking highlights a critical aspect of cloud security that is often overlooked.

In hybrid environments, where organizations maintain both cloud and on-premise infrastructure, the network becomes the critical fabric that ties everything together. 

Securing these interconnections is involves:

  • Secure Connectivity: Implementing encrypted VPN tunnels or dedicated connections between cloud and on-premise environments.
  • Network Segmentation: Properly isolating different parts of the hybrid network to contain potential breaches.
  • Traffic Monitoring: Implementing robust logging and monitoring solutions to detect unusual patterns or potential threats.
  • Identity-Based Access Control: Ensuring that network access is tightly controlled based on user and device identity, regardless of location.

Double Layered Cloud Security: A Comprehensive Approach

Avishai introduces the concept of double layered cloud security, which combines CSPM for initial visibility and network security to manage interactions and risks between different environments. 

He explains, "Your first layer is having a cloud security posture management solution... your second layer is worrying about the networking, especially the networking as it connects your cloud environment to your on-premise environment."

A double-layered protection across your cloud estate provides a more comprehensive security posture:

  • CSPM Layer: Focuses on cloud-specific misconfigurations, compliance issues, and identity and access management.
  • Network Security Layer: Addresses data in transit, network segmentation, and secure connectivity between different environments.

By implementing both layers, organizations can create a more robust and resilient security posture that addresses both cloud-specific and traditional network security concerns.

Practical Recommendations for Cloud Security: From Theory to Practice

Start with Visibility: Know Your Cloud Estate

Avishai's advice for organizations new to cloud security is to start by gaining visibility into their assets and configurations. He suggests, "The first thing that I ask my guys and girls is, are all our accounts onboarded into this solution?"

This focus on visibility should involve:

  • Comprehensive Asset Discovery: Identifying all cloud accounts, resources, and services in use across the organization.
  • Configuration Auditing: Assessing the current state of security configurations across all cloud resources.
  • Access Review: Understanding who has access to what resources and whether these access rights are appropriate.
  • Data Classification: Identifying and classifying sensitive data stored in cloud environments.

By establishing this baseline visibility, organizations can make informed decisions about where to focus their security efforts and resources.

Leverage Tools and Best Practices: Don't Reinvent the Wheel

Both Avishai and Josh recommend leveraging established benchmarks and tools like CIS benchmarks and NIST guidelines to secure cloud environments. Josh points out, "There are lots of great tools that you can use. CIS Benchmark... cloud-specific NIST 800-171... go here, go here, click this button, check this setting."

Organizations should:

  • Adopt Industry Standards: Align cloud security efforts with established frameworks like CIS, NIST, and ISO 27001.
  • Utilize Cloud-Native Security Tools: Take advantage of security features provided by cloud service providers.
  • Implement Third-Party Solutions: Consider specialized tools for areas like CSPM, cloud workload protection, and cloud security information and event management (SIEM).
  • Automate Compliance Checks: Use tools that can automatically assess and report on compliance with chosen standards.

Human Factors in Cloud Security: The People Behind the Technology

The Importance of Skilled Professionals: Bridging the Knowledge Gap

Avishai and Josh acknowledge the skill gap in the industry. 

Avishai notes, "There's a great body of knowledge that very few people have in their heads... there are guidelines and procedures and documents and systems and tools that can help us."

To address this skills gap, organizations should:

  • Invest in Training: Provide ongoing education and certification opportunities for IT and security staff.
  • Foster a Security-First Culture: Encourage all employees to think about security in their day-to-day activities.
  • Leverage Managed Services: Consider partnering with managed security service providers to augment internal capabilities.
  • Build Cross-Functional Teams: Create teams that combine cloud expertise with traditional security knowledge.

Balancing Security and Business Needs

Josh emphasizes the need to align security measures with business requirements. 

He advises, "Start with the business requirement first. Like what are you trying to do that supports the business? If it doesn't support the business, why are you doing it in the first place?"

This business-aligned approach to security involves:

  • Risk Assessment: Understanding the specific risks associated with different business processes and data.
  • Stakeholder Engagement: Involving business leaders in security decisions to ensure alignment with organizational goals.
  • Flexible Security Policies: Developing security policies that protect critical assets without unnecessarily hindering business operations.
  • Continuous Communication: Regularly updating business leaders on the security posture and emerging threats.

TL;DR

As organizations migrate to the cloud, they face new security challenges and opportunities. Avishai Wool and Joshua Copeland emphasize the need for continuous learning and adaptation due to the dynamic nature of cloud security, technological advancements, and evolving threats. Key strategies include starting with cloud security posture management (CSPM) for visibility, implementing network security for hybrid environments, and adopting an iterative approach to security improvements. Aligning security measures with business goals and leveraging established tools and benchmarks are essential. This double-layered approach ensures a robust and resilient security posture, addressing both cloud-specific and traditional network security concerns.

Subscribe to Audience 1st

Get notified every time an episode drops to better understand your audience and turn them into loyal customers.