Risk Management
The Future of Cloud Security
Effectively securing the cloud is a long-term commitment, as the state of cybercrime and vulnerabilities are constantly evolving. Risk reduction comes from knowing how to secure the cloud now and into the future.
Lockdown has accelerated the use of cloud technologies throughout the business world, and it looks like there’s no going back. Mark Nunnikhoven, VP of Cloud Research at Trend Micro, shines a light onto the important questions C-level executives should be asking themselves and their team while settling into the new normal.
To say that 2020 was an unusual year is an understatement at best. But there has been a bright spot in the IT world. As organizations building in AWS, Microsoft® Azure™, or Google Cloud™ are aware, there’s been an accelerated migration towards the cloud this year as the physical component has been restricted from us. While meetings move away from the whiteboard and onto cloud workloads, most organizations have realized the advantages of having recorded meetings saved to the cloud, giving them firsthand insight on what has been decided and what's being worked on. But with these newfound advantages come challenges and issues that need to be addressed.
Cloud security must be both usable and stable
While many executives have become accustomed to imposing controls and systems on employees regardless of their usability, a more modern and integrated approach provides your team with security that employees don't try to work around. In order to be effective, security foundations need to be predictable and consistent. “(Look) how smooth the flow for multi-factor authentication has become,” says Nunnikhoven. “It's a pretty smooth step (that) most people are comfortable with. It doesn't take that much longer to log in, but it significantly reduces the chances of your account being compromised. This is how we need to view security is in terms of what's the cost versus the benefit.”
What can we do about misconfigurations?
Executives tend to talk to the security team at the “kickoff” of a project and at the end of it, and that's not good enough. More education is needed throughout the process so employees can make better decisions throughout. Nunnikhoven uses Amazon® S3 buckets as an example. “(They) start life completely locked down. So every breach you've seen associated to them has been somebody accidentally assigned a ‘too permissive’ policy to that storage bucket. When you're trying to build something like that, ‘we'll just give it more permissions… And now it works’. And that’s great, but never lock them down again.”
Nunnikhoven says he remains a ‘cloud optimist’. “The cloud is really enabling is us to correct some of the things that built up over the last 40 years. The cloud lets us dive in and start digging into problems and do it safely and more securely than ever.”
For more insights into how organizations can mitigate risk while moving to the cloud full time, listen to Mark Nunnikhoven on an episode of The SecureWorld Sessions podcast, “The Future of Cloud Security”.