What is the secret to cloud security? Trend Micro experts have the answers
Organizations are investing in cloud infrastructure and applications at an unprecedented rate, to not only survive but thrive during the pandemic. But expanding digitally also broadens the corporate attack surface. So what’s the secret to cloud security? We asked a range of Trend Micro experts to help you build a winning strategy.
Mark Nunnikhoven, VP Cloud Research:
Security teams are constantly fighting fires, especially at the moment, and are therefore reluctant to embrace new technologies at the pace the business needs. In the same vein, security teams desperately need to reduce their workload, so re-using the same approaches is more efficient for them. However, this attitude ultimately prevents the business from leveraging cloud to its true potential. It also leads to worse security outcomes in the end, as older technology and techniques are out-of-sync with the dynamic demands of cloud environments.
Jon Clay, Director Global Threat Communications:
One of the biggest challenges we have with technology is the speed of progress. While this drives business innovation and improves our daily lives, it can come at a cost—the extra time it takes security teams to understand the technology, and how it can be exploited. This is true of the cloud today. IT teams often lack training and knowledge on how to effectively deploy and secure it.
Misconfiguration is one of the biggest reasons malicious actors are able to exploit and compromise cloud infrastructure. To improve the situation, organizations need to invest in training their employees on cloud before deploying any new environments. And be sure to continuously train their employees, as the technology continues to evolve.
Bill Malik, VP of Infrastructure Strategies:
Security by design.
Cloud environments should follow the five basic information security design requirements: authentication, authorization, data integrity, data confidentiality, and non-repudiation. One of the hardest problems in any engineering discipline is adding core functionality after the product is built. In car manufacturing, for example, an OEM can bolt-on a seat belt in the after-market phase, but adding an air bag or ensuring the vehicle’s front-end offers a “crumple zone” is much harder, if not impossible.
In the software world too, building security and safety in from the start is much cheaper, easier and more effective than being forced to do so later, once a problem has been detected. Fixing a defect in the high-level design phase costs about ten cents, versus potentially as much as $100,000+ once a bug is reported in code already in production. As a former lead in the build and test function, I conceptualize the software development lifecycle as two distinct parts: the defect injection phase and the defect detection phase. Putting fewer bugs into the code saves the cost of troubleshooting, rework, and delay.
Rik Ferguson, VP of Security Research:
Continuous, cross-platform, cloud-native capability.
Business is shifting away from classic data center-centric usage patterns and rapidly towards cloud-centric data usage. This has been accelerated by the global pandemic, as enterprises work to make previously internal resources available from anywhere at scale. Enterprises also increasingly need to innovate rapidly in production environments, while threats and technology advance at an ever-faster pace.
It’s not only availability and speed, though—the best security is a business enabler. When security is continuous, cross-platform and cloud-native, the answer to “can we do this?” never has to be “no.” Instead, it becomes: “Yes we can, and here’s how we do it securely.”
Ed Cabrera, Chief Cybersecurity Officer:
We live in a world where skills shortages and commercial demands have combined to expose organizations to escalating levels of cyber-risk. In the cloud it leads to misconfigurations and the risk of knock-on data breaches, as well as unpatched assets which are exposed to the latest exploits. The bad news is that cyber-criminals and nation states are getting better at scanning for systems which may be vulnerable in this way.
This is why automation is your friend. In Cloud Security Posture Management (CSPM) it could be as simple as running continuous scans against hundreds of industry best practices, and then automatically remediating any errors to mitigate compliance risk. Elsewhere, automation can streamline the discovery and protection of public, private, and virtual cloud environments. It can help to detect and protect new workloads, with techniques like machine learning and virtual patching. And it bakes security into CI/CD pipelines without slowing down DevOps.
Greg Young, VP of Cybersecurity:
Clouds aren’t secure or insecure, they’re as secure as you make them. Instead of “who is more secure – AWS, Azure or Google Cloud?” ask “what have I done to make all of my clouds as secure as I need them?” It all depends on context. How you use containers will be a decision point in your container security strategy. And SaaS has a new context too—instead of out-of-the-box security capabilities, today it’s more about what you want to enable in security via APIs.
Security self-service for the cloud is fully here in all its forms. CSPM has become a product market, in response to the needs of self-service and so that your security policies will span multiple cloud products. The journey continues, with Secure Access Service Edge (SASE) tools designed to securely connect remote employees and SD-WAN-enabled branch offices in new ways to SaaS and the cloud.
We hope you found these tips useful!