Edition One: The Cloud Security Gap

Cloud: “We’ve developed new microservice patterns and need security approval..”

Security: “What’s a microservice?”

The adoption of public cloud services has increased exponentially over the past decade, with organisations looking to modernise their digital ecosystem, decrease costs and leverage the inherent benefits of cloud technology. As part of this technological inertia, organisations are undertaking digital transformation programs which commonly (and preferentially) involve rearchitecting workloads in line with cloud-native principles and patterns.

Through the transformation process, organisations face the challenge of (at least in the short term) adopting additional complexity when introducing cloud services. The distributed nature of cloud technology and various integration requirements can add strain on IT and DevOps teams. Likewise, cyber security professionals bear significant responsibility, as they have to adopt new technology, processes and ways of working, which could significantly contrast with their preexisting experience.

One of my cyber security principles suggests: “to effectively secure a solution, the security professional must understand the technology at a deeper level (in an attempt) to seamlessly weave security throughout”. I say “in an attempt”, as effortlessly weaving security throughout a solution is better said than done. Security professionals cannot assess the security requirements and associated attack surface without a comprehensive understanding of the technology. The lack of comprehension and subsequent non-strategic control implementation will (in most cases) result in unnecessary technological constraints or significant security risk.

This challenge is commonly faced where cloud and security teams coexist without adequate cohesion, integration or shift-left security initiative. In these scenarios, cloud professionals have a deep understanding of cloud concepts without security context, whilst security professionals have a deep understanding of general security principles but with no context to associated patterns in the cloud. Without a solid comprehension of the underlying technology, the security professional cannot capture the attack surface and could potentially underestimate the essential control requirements in ensuring adequate security. On the other side of the spectrum, the security professional could provision unnecessary security controls, which will limit the organisational capability to provide services and significantly diminish the value of the cloud.

The compartmentalisation between cloud and security teams will likely weaken the enterprise security posture. In some cases, cloud teams may become frustrated with the undesirably slow rate of innovation and progress due to unnecessary security constraints. Such scenarios can result in out-of-band deployments (otherwise known as shadow IT) that lack appropriate architectural review, security governance or vulnerability remediation through practical security testing.

Could Shift-Left Security Help?

Taking a step back, we can envision cloud infrastructure development as analogous to skyscraper development (or similar structure). The skyscraper design must align with specific standards and regulations (developed by appropriate governing bodies) that the architects, engineers, and builders must abide by. To be qualified, the governing bodies must have a specialised understanding of skyscraper development and engineering concepts. The builders themselves don’t specialise in skyscraper regulations but must ensure a sufficient level of qualification that will allow them to build the structure following the regulatory outline. The building regulations are known before the design or building process begins. Likewise, when looking through a technology lens, an engineer building the cloud environment might not necessarily be a security SME, but the engineer must have an adequate understanding to ensure security alignment with the design specification. Rather than placing an unrealistic burden on the security professional or cloud engineer, predefined processes, automation capabilities, and established communication channels should be leveraged to ensure the development lifecycle is efficient and secure.

The analogy above closely resonates with the shift-left security concept. Shift-left does not simply involve injecting a security tool (or multiple tools) early in the development lifecycle and calling it a day. In its true sense, shift-left security intends to shift security considerations to the start and throughout a particular solution development lifecycle. The concept requires careful orchestration of processes, resources, and tooling to ensure optimal effectiveness. Much like the development of a skyscraper, regulations cannot be considered add-ons upon the development completion. They are outlined at the start of the development process, enforced throughout and potentially refined as changes arise.

Even with good intentions and proper execution of shift-left security, finding talent that can continuously develop upon, enforce and govern this secure development approach (to an adequate level) is challenging. The talent shortage becomes further amplified when filtering for a combination of high-quality cloud, security, and communication skills. This shortage leaves organisations vulnerable to significant gaps in their enterprise cloud security capabilities - without appropriate cohesion between security and cloud, maintaining a strong security posture and effective cloud platform becomes far less likely.

Each organisation, environment, and culture is different. Technology leadership should look at their unique situation and devise a solution for effective security integration throughout their transformative technology operations.