Securing cloud resources during the move to remote work
Clouds, especially multicloud systems, continue to play an important role in business digital transformation efforts. This year, this is especially important in the context of the need to quickly transfer many employees to a remote work format.
One of the key challenges associated with increased reliance on cloud resources is building and maintaining ongoing security, including unified visibility and control to spot and mitigate threats and seamlessly remediate misconfigurations. We discussed the cloud security challenges that CISOs face while working with organizations around the world with three Fortinet Field CISOs - Courtney Radke, Joe Robertson and Alain Sanchez.
What do CISO think about cloud computing security in 2020?
Alain: About two years ago, I overheard colleagues at CISO saying that they are putting back some of the components they originally moved to the cloud as part of their digital transformation journey. Were these voices going to turn into a trend? We had to find out. So Fortinet commissioned an independent study that surveyed 350 decision-makers around the world - not necessarily Fortinet customers - and the results were amazing. They showed that 72% of respondents actually migrated one component back from the cloud, ranging from data to applications and processes.
However, this interesting figure does not mean that their journey to the cloud has ended. The cloud is still the biggest IT trend we've ever seen and continues to be a bright spot in 2020, according to Gartner. The story is more like a never-ending back-and-forth process, in which corporations view the cloud as a full-size, but not capital-intensive, innovation lab - a place where they can test and measure the speed of new services take off, and then decide whether to keep it. cloud or return back. However, one of the significant caveats in this feedback loop is that the outcome cannot neglect security in exchange for flexibility. The moment you need to manually republish, redeploy, and recheck one of the elements of your security policy, you lose the benefit of that freedom.
Joe: Another big issue that shouldn't surprise anyone is that CISOs are currently focusing on how to secure their new remote employees who access cloud-based applications from home. This issue exploded in situ, obscuring but not fixing other cloud-related issues. For now, I will focus on the main issues I hear from CISOs that are not affected by the Covid-19 crisis.
1. Manage cloud environments and ensure policy consistency across workloads no matter what cloud or data center they are running in.
2. Issues related to compliance with data protection regulations (especially personally identifiable information) while moving to or from the cloud.
3. Securing data in SaaS - applications. CISOs deal with a confusing combination of cloud providers and SaaS applications, which means they are looking for solutions that give them visibility and security control in multi-cloud environments. They are also looking for ways to report compliance with the requirements of boards of directors and regulators.
Courtney: There are three main concerns that I hear most from CISO as they relate to cloud security strategy. Despite Covid-19, CISOs are pretty well aware that increasing agility (and making profits) has been a major challenge for companies looking to create or expand their digital space to better reach their customers. This meant they had to be ready to move quickly when it came to properly assessing risk and implementing a complete cloud security strategy. It takes time, and as we all know, businesses always want to move faster.
CISOs who methodically planned their cloud security strategies suddenly did not have the luxury of time to discuss cloud or not cloud. This is problem number one - lack of time for planning.
With the introduction, but not necessarily the choice of the cloud provider (s), problem number two is marked by a lack of resources and training. With the prevalence of multi-cloud computing, security teams needed to become (or hire) experts in various architectures, tools, and cloud integrations, which can quickly become a complex workload for teams that are already busy.
To accelerate cloud migration and increase the number of security teams, businesses are turning to third parties for help and guidance, especially thanks to Covid-19. It is more important than ever to thoroughly review and regularly evaluate these partnerships to ensure that their security standards meet or exceed business standards. Opening up the environment to integrate with multiple third parties can solve temporary problems and even become part of a long-term business strategy. However, care must be taken to avoid the moment “you can't see the forest for the trees”. Affiliate agreements and security policies cannot be instant; they must develop together with the company.
What have we learned from recent events, such as the scaling of remote work and the displacement of the IT landscape, from a cloud computing security perspective?
Alain: The scale of the need for telecommuting took even the most far-sighted of the CISO by surprise. The point is, the infrastructure and teleworking policies were never designed to face the entire planet working from home. But surprise turned into action after a few weeks. With the expertise of an increasing number of renowned CISOs, we have developed methodological principles to cope with the tsunami of remote working while ensuring business continuity and data protection.
Joe: True, most of the CISO's actions lately have been aimed at ensuring the safe work of remote employees. Now this period is `` all on deck '' calms, and the realities of the economic situation begin to be felt. For some categories of businesses, the crisis was positive, but for most, its consequences range from difficult to disastrous. This leads to widespread belt-tightening, and information technology and security organizations are not immune to it.
The hacker community, both amateur and professional, has not been weakened by the crisis, so cutting spending on corporate cybersecurity seems like something from the category of "we drink champagne, but save on matches." However, when a company's earnings plummet, difficult decisions must be made. This is why many of the CISOs I communicate with are keenly considering investing in automation tools.
With so many users accessing cloud resources from home, outside of well-secured office connections, visibility into what happens to workloads in the cloud, who is accessing them, and automated analysis of cloud activity are more important than ever. An alert-based solution can take an analyst from 20 minutes to hours or more. Automation tools can deal with many alerts in seconds, leaving only the hardest for SOC analysts to solve.
Courtney: Recent events have really been on the `` ready or not and we're here '' category when it comes to dealing with the huge number of users accessing digital workloads and shop windows. For many companies, this was one of the few ways to interact with customers, so business resilience depended on the availability and attractiveness of their offerings in order to drive more traffic from elsewhere. This need for customer acquisition in times of great need may have relaxed the rules a bit when it comes to security to reduce transaction friction.
Likewise, consumer shopping patterns have changed, so the underlying data for peak (typical) shopping hours or app logins may have looked significantly different than 90 days ago. This happened in parallel with the rapid increase in the number of remote workers and the need to provide secure access to critical systems and information without performance issues. If users were unable to get to what they needed and quickly using approved methods like VPNs, they would start looking for their own ways to get what they needed. It's the same with the cloud: if it wasn't the best way, the most attractive option, then users would find another option. This meant that policies related to access hours, duration, number of sessions, etc. needed to be evaluated and updated. In addition, networks with zero trust, combined with adaptive authentication technologies, allowed users to get what they wanted while avoiding the proliferation of threat actors.
What are the most important points for CISO in terms of cloud security?
Alain: The comment I hear most often is the fear of being unable to return to the past. “The moment I start to cash out all the benefits of my cloud strategy, cost, flexibility, real-time statistics, will I be able to maintain complete control over my strategy?”
I remind these colleagues that Fortinet's role is not to influence their cloud strategy in one way or another. We are a pure security player and our mission is to serve any cloud scenario our customers accept: native cloud, hybrid cloud, or any combination of the above. The goal is to provide consistent and reliable security, including visibility and control, regardless of their cloud strategy.
Joe: I've found that no matter what cloud environments customers have, at some point we're always talking about agile software development and DevOps, which can be tricky for the security team especially since many applications run on one or more clouds. Everyone is trying to get developers to involve security early in the development process, with some doing better than others.
This shift implies the participation of security experts along with the development team at the beginning of the cycle. As you can imagine, with so much development using open source, public libraries, APIs for other applications, and so on, securing a modern application is a major concern. Just getting an idea of what is happening with different workloads is challenging.
Courtney: I recently spoke to a colleague who went through a full cloud audit and the results were enlightening to say the least. They found that over 30% of the company's cloud workloads were either heavily underutilized, grossly misconfigured, or, in the worst part, unknown. They immediately thought, “Can you imagine the cost savings if we sorted these environments correctly?” Even though this is a perfectly valid point of view, which is most likely present in the heads of companies today, I thought, “Do you have any idea what a positive effect cleaning this environment will have on your safety?”
This is called cloud overgrowth, and it becomes more prevalent as the cloud grows. computing is becoming more common, similar to virtual computing and the traditional server architecture that existed before it. Anyone can roll out new cloud resources that enable fast and flexible business operations, but they also open doors to threats.