2020. So THAT just happened.
When it comes to cloud security, 2020 was like pouring rocket fuel onto a gasoline fire; our three year plans turned into three month executions. And just like a nice toasty fire, this brings benefits, opportunities, but also a bit of danger. Personally, the pandemic killed off most of my travel and actually helped me get more work done with a more diverse client base. As we all start pretending we will get the chance to gear down to enjoy the holidays (it never really seems to work out that way), I thought it might be a good time to collect some of the trends and lessons I learned that we can use for our collective 2021 planning.
As the great author Terry Pratchett once said, “Build a man a fire, and he’ll be warm for a day. Set a man on fire, and he’ll be warm for the rest of his life.” 2021 is all about managing the fires to fuel growth without burning down your house.
I’ve put together some cloud security recommendations that address many of the common systemic failures I’ve seen while working on projects but that are also reasonable to approach incrementally. We accelerated cloud adoption pretty dramatically in 2020, and this meant many organizations moved fast without having the time to build a solid foundation. That’s totally normal, but we don’t want to go too long without shoring things up. Every line item below correlates to the root causes of some very public failures.
Start by fixing cloud governance.
In 2020 I worked with dozens of organizations and talked with hundreds more. Poor governance is far and away the most consistent problem I see in the cloud. This comes in a few different flavors. I most frequently see these polar opposites of either the organization failing to put any restrictions on developers or security locking things down into standard patterns that aren’t cloud-friendly. I suggest you split the difference: require security approval for all new providers and services and empower security to say “no” but only when they can justify their reasoning. Then mandate that security build cloud-native policies and procedures that reflect cloud native practices, as opposed to bringing over all their aggravatingly slow and counterproductive datacenter security tooling. Force everyone to the same table in a Cloud Center of Excellence. A very large portion of the public cloud security failures we see have roots in failed governance vs. failed technology.
Speaking of governance, this is a great time to adopt the concept of the “security champion.”
Security champions aren’t BISOs (business information security officers); they are local devs or admins on project teams that get a little extra training, get free pizza (you can deliver until COVID quarantines are over) during council meetings, and serve as a liaison between a project and a security team. Think of them as a point of contact and an advocate.
Improve your cloud security visibility.
Another common governance issue is locking security out of cloud accounts with the exception of some logging. Fix this in 2021 by providing security with tooling and read-only access to every cloud deployment (including dev/test/sandbox environments), then break glass read/write access for incident response. In exchange, security sets policies so they only implement emergency changes themselves in worst-case scenarios when they can’t contact the deployment team to handle remediation. Visibility should include the ongoing configuration state of deployments (CSPM) and event and log feeds of real-time changes (CDR).
If you aren’t using multiple accounts to manage the blast radius of attacks, start now.
I don’t mean just prod and non-prod but multiple accounts per application stack. Why? Because identity is the new perimeter and the more you shovel into a few big environments, the harder it is to implement least-privilege controls. Like, impossibly harder. In 2021 you can start with a “new to new account” rule. Now I’m hiding a lot of complexity here, mostly around the networking side when you need to interconnect app stacks, but those problems are solvable once you start adopting cloud native patterns and the benefits are tremendous.
Level up your cloud-native incident response.
I see IR falling behind in two ways. First, it turns out that the default logging patterns in the cloud providers’ documentation are typically not ideal, with long delays from when an event occurs and a notification appears. This is most apparent in AWS but all providers struggle with it. If you rely on standard SIEM connections you may be giving attackers large windows. Second, the response process itself isn’t properly defined and tooled. Manual responses to automated attacks is a losing proposition. In 2021 train up your IR team, optimize your event-based alerting, and start closing response windows through incident routing and automation. And yes, I’m recommending my own product, but it isn’t like we built it just for fun. You can actually do a lot of this yourself with open source and coding if you aren’t ready for commercial tooling.
Perform a top to bottom review of your IAM/RBAC implementation and tighten it up.
Reduce unnecessary privileges and add resource restrictions as much as possible. Turn on every single identity related analysis and alerting tool your cloud provider offers. Start using attributes and conditional policies. Look, every single major public cloud security failure in 2020 involved an IAM failure – lost credentials, too many privileges, or no MFA or conditional restrictions to control the IAM perimeter. If you need something to keep you up at night in 2021, this is it.
Governance. Foundational shared services. A few tactical upgrades. We are past the point where every year of cloud computing seemed to require entirely new programs and tooling. 2021 is about nailing the basics, but upgrading them for better scalability, effectiveness, and cost. We know a heck of a lot more about which practices work best than we did even a few years, and the key is to look for the opportunities to modernize and drop the legacy bits that really don’t work very well.