Usable Cloud Security – The Antidote to Cloud Complexity

Cloud security risk is ubiquitous yet manageable if you accept cloud complexity and seek solutions focused on usability and insights you can act on.

Ermetic Team By Ermetic Team
Usable Cloud Security – The Antidote to Cloud Complexity

An effective cloud security solution should present information that is manageable, usable and actionable. Here’s what that looks like.

Cloud security risk is ubiquitous – yet can be mitigated. It’s important to accept cloud complexity and seek solutions that make managing security more workable. Key is accurate risk prioritization and operationable steps for fixing risk – these enable you to work at reducing risk with confidence. Below, we look at what makes the cloud challenging to manage securely and how to overcome those challenges in an actionable manner.

Why Cloud Infrastructure Is Complex

Cloud environments are made of multiple, dispersed permanent and ephemeral components. This by-design architecture drives the ability of the cloud to support agility and growth. On the other hand, these same architectural ingredients turn cloud environments into a dynamic blend of maze-like constructs that are difficult to protect.

Despite the many resources available for managing the cloud, most organizations don’t have deep visibility into their cloud environment. The absence of visibility leaves IT and cloud practitioners without a map or compass to know what move to make next. Deep technological know-how of cloud components is necessary to successfully navigate the maze, and identify and mitigate vulnerabilities. Multicloud environments add another layer of “blindness” since managing security across clouds requires visibility into each cloud vendor’s unique IAM model.

Cloud, for all its benefits, creates complexity at organizational and extra-organizational levels as well. There is confusion, born of shared responsibility models, between the enterprise and public cloud provider over who is responsible for securing what. A general rule of thumb is that the provider secures the cloud and the business is in charge of anything in the cloud. However, to manage this effectively and ensure no security gaps, the specifics of what this means needs to be confirmed by each security team and incorporated in their day-to-day process.

 

AWS Shared Responsibility Model [Source: AWS]
AWS Shared Responsibility Model [Source: AWS]

Within an organization, cloud responsibility is also distributed. The broad technological scope of cloud management requires cross-team – and many would say cross-cultural – collaboration around security, with IT, Cloud Security, IAM, DevOps, DevSecOps and even different business units involved. The personnel who “own” security, Security teams, aren’t in charge of the environments, which are owned by DevOps and developers. Despite this separation of duties, the ability to succeed in enhancing the security posture is dependent on both. In reality, organizational silos might mean that important tasks fall between the cracks. If security isn’t prioritized, knowledge of the cloud will be dispersed and/or teams will lack processes and tools to incorporate cloud security practices.

Public cloud management and security, DevOps, developers
Cloud ownership: joint responsibilities.

Finally, the cloud has organizations dealing with unique security challenges they have never encountered before. The cloud’s microservices structure has made identity the new perimeter. Human users and service principals require identities to gain access to resources and systems, unlike on-premises access management, which was based on network security and a castle-and-moat approach. Instead, IT and security teams are now managing tens of thousands of new digital identities and the permissions these identities have to access and modify sensitive resources.

Identities and permissions complexity in the cloud
Identities and permissions complexity in the cloud

Cloud misconfigurations or lack of attention to detail when managing permissions could provide threat actors with a gift you didn’t intend: unwarranted access that provides the ability to take over entire cloud environments, extract data from databases, encrypt data in exchange for a ransom and more.

Not surprisingly, the Verizon Data Breach Investigations Report (DBIR) found that credentials have become the number one credential security weakness. IBM put a price on that weakness; the IBM “Cost of a Data Breach Report 2022” identified stolen credentials as the number one attack vector over the past two years (and nearly one-fifth of all attacks in 2022), at an average breach cost of $4.5M.

All these reasons make cloud security frustrating and challenging. But it doesn’t have to be this way.

Making Cloud Complexity Risk Consumable

Security teams must recognize that cloud environments are complex – that even if they think they have a grip on who can access what, they need more granular visibility to fully see risk. What are the options for achieving greater access security and minimizing these risks?

Alternative #1: Restrict or Forego Cloud Usage

To avoid the risk of a breach, a legacy security approach blocks any potential threat and vulnerability. Such an approach toward the cloud would prompt a business to scale down cloud use and insist that sensitive data and systems reside solely on-premises.

Obviously, with all the goodness the cloud has to offer, this approach is impractical for businesses aspiring to grow new lines of business and into new geographies, be agile and stay competitive. Security teams need to be business enablers, and business departments would be hindered by such a move. A different solution is required.

Alternative #2: Hire Enormous Security and DevSecOps Teams

Another solution for overcoming security gaps is to recruit many more people. The team would be tasked with meticulously combing through policies and activities logs to determine no identity or general cloud misconfigurations, and that permissions are given according to the modern security principle of least privilege. They would monitor all vulnerabilities, attempt to identify risks and issue fixes for mitigating them.

While it may sound like a CISO’s dream, this solution is not very practical. Despite the recent softening of the market there remains an enormous skill-set gap in cloud security. There are more open positions and requirements than people, finding qualified new hires requires intense resources, and it is uncertain there are enough employees out there with the required abilities.

Not to mention that a team that is too large creates internal politics and complexity, producing management overhead and “cultural” friction. Larger teams alone, without the right processes, training/education and technology, will not resolve the friction between security and Dev/Ops disciplines. The benefits and ROI each team member brings to improving the environment’s cloud security is diminished by such friction. Finally, when dealing with data at large-scale that needs to be monitored and requires decisions in real-time, manual actions are often too slow. Automation is a more efficient and accurate solution.

Alternative # 3: Find Tools That Make Cloud Complexity Workable While Addressing Skill-set Gaps

The third option security teams have is to find an automated solution that embraces cloud security risk and presents it in an easy, consumable and actionable way – and without assuming specific cloud expertise. Such a tool will provide security teams with the ability to understand, investigate and navigate risk amid the complexity:

Visibility Into Cloud Environments

A fine-grained, contextual visual mapping of all cloud assets, their configurations, all digital identies and their permissions in your cloud infrastructure provides users with the visibility essential to security tasks. They are able to comprehend how components are configured and which permissions are given to which identities and resources – and which are in use. It’s like suddenly flying a drone above your cloud infrastructure and seeing the entire view of the aforementioned maze.

This map should be constructed based on a deep understanding of the workings of each public cloud provider rather than simply a graphical representation of raw data from APIs. The application of full-stack analysis to the data is necessary to surface the relationships, risks and insights that then enable effective security management and fuel precise recommendations for implementing the principle of least privilege.

Multicloud View

Each public cloud provider (AWS, Azure, GCP) names and defines cloud components differently, creating inconsistency in security management and monitoring abilities. To overcome this, organizations need a solution that converges the information from all the public cloud providers they are using into a single management and monitoring console. A usable solution is one that understands the different mechanisms of the cloud provider infrastructures and their permissions model, consolidates them and can therefore be precise about remediation recommendations.

Prioritization Capabilities

After finally seeing into cloud environments, the next step is taking action. An effective solution has a good grasp of true risk severity including mitigating configurations that offset would-be risks. It prioritizes risk with accuracy, enabling security teams to not only have confidence in its insights but also focus on the most important issues and avoid going down unwarranted rabbit holes. Prioritization is an important piece of the advisor role that a good cloud security solution plays.

Visibility: Check. Prioritization: Check. Now it’s time to take action.

Auto-Remediation

A workable tool is one that gives actionable insights to help your people make decisions about mitigating the risk. This means auto-remediation that is flexible and integrated, for accommodating how your organization and teams operate. The goal is to make it as smooth as possible to inform and deliver the recommended configuration corrections, least privilege policies and code snippets down the pipe and in place with the relevant action owners. Many organizations are not yet set up for – or embracing – automated remediation processes. Getting there is a natural evolution of an organization’s cloud security maturity. Nonetheless, scaling security in the cloud requires automation, including shifting left on building code snippets vetted for least privilege into non production environments. Keep flexible auto remediation capabilities in mind and plan on incorporating them over time.

Ease of Use

An easy-to-use cloud security solution answers the skill-set shortage the cloud introduced – and offers a functional, informative haven from cloud complexity. Rather than spending team members’ valuable time on training and attempting to find answers when they come across a problem, a usable platform has an intuitive UI that automates large parts of the process. This not only saves time, it helps advocate cloud security across the company and ensure hardening of the security practices used. We’re naturally all driven toward frictionless solutions that reduce our task workload.

Single Pane of Glass for All

Following on the heels of “ease of use,” a workable cloud security solution should lend itself to standardization of cloud security across all business units. Providing a single point of reference for Security, DevOps, DevSecOps, SOC, IT and developers reduces friction between security and development and enables faster decision making based on accurate recommendations that everyone can use and understand.

Next Steps on Your Cloud Security Usability Journey

Managing cloud security requires two things. First, acknowledging that the public cloud, and cloud security, is and always will be complex (which is why DevOps have become unicorns). Second, finding a way to address that complexity.

On your hunt for the right cloud security tools, prioritize those that accept and address the complexity axiom rather than promise to make it go away. Simplifying cloud complexity is not possible. A solution that makes cloud security workable amid the complexity provides productive visibility into cloud components and across public cloud vendors, prioritizes risk accurately, shares actionable and precise insights anyone can understand, automates processes including remediation and enables teams to work together while bridging silos and boosting cloud security hygiene goodwill.

Insights should go deep. Surgical precision based on contextual analysis is the only way to provide stakeholders with confidence for implementing the security best practice for cloud access management, least-privilege, including through JIT and shift left. High usability in a cloud security solution translates into your security and engineering teams’ ability to – cloud complexity notwithstanding – successfully improve security for your enterprise’s amazing growth platform.