In an interview with Rahul Raj, Vishwas Manral shared his opinions on “Employing Robust Cloud Security”. He emphasized that businesses must understand cloud migration thoroughly and take a “crawl, walk, run” approach to ensure effective security. He also stated that businesses must implement a security strategy that aligns with the organization’s goals and assists security teams in becoming successful.
RAHUL: Brief us about your company and offerings.
VISHWAS MANRAL: I am the Chair of the Board of Cloud Security Alliance (CSA) Silicon Valley. This chat is about Cloud security, so I wanted to highlight the amazing work that is being done by CSA. I am also a Lifetime Research Fellow of CSA, an entrepreneur and an advisor to multiple companies and startup incubators.
VISHWAS MANRAL: The fundamental difference is that Cloud uses a shared responsibility model, where the Cloud providers hold the responsibility of security of the underlying infrastructure of the Cloud, while security for the higher layers (i.e., data) are owned by the business itself. The definition of the higher and lower layers varies depending on the model of Service model (IaaS, PaaS or SaaS as defined by NIST SP-800-145. In the traditional model, all security is the responsibility of the businesses.
VISHWAS MANRAL: To safely and successfully migrate to the cloud, there are 3 key concerns businesses need to understand:
- Built-in not bolted-on: Cloud applications and infrastructure are ephemeral and change continuously. Security cannot be an afterthought in Cloud environments and needs to be built into the infrastructure and applications, even before applications get deployed into production environments. This means the people, processes and products used in on-premises environments for security may not carry into the Cloud. Businesses need to analyze these carefully.
- Start with basics: Businesses need to take a “crawl, walk, run” approach to cloud security to be successful. NIST defines the approach in the Cyber Security Framework (CSF). To start off, businesses need to train employees to understand the intricacies of Cloud applications and infrastructure they are securing. They need to put in processes to discover and onboard cloud accounts and secure new applications. Cloud Security needs to be part of the process when decisions to adopt any new application are being taken, so security is built-in and not bolted-on after the fact. Having the ability to identify the Cloud assets and their context is a fundamental requirement. Employees will spin up Cloud infrastructure regularly using APIs, so putting in the basic guardrails around such Cloud configuration is critical.
- Be agile: Cloud providers are adding, removing, and changing services regularly. To be secure in the Cloud, security needs to be agile and move and morph with the cloud estate. This means being able to add policies automatically for infrastructure as it gets deployed. Agility is also required to secure new cloud services being adopted by organizations at a rapid pace.
VISHWAS MANRAL: Kubernetes or K8s, as well as SaaS platforms, are today widely used by businesses. K8s clusters run business logic applications packaged as containers. There are 3 key things businesses need to consider for security:
- Identify all K8s clusters: Cloud provider managed clusters are easy to identify and protect. However, security teams are often unaware of where their container clusters are running, on “compute-instances” directly managed by their engineering teams. Being able to identify these shadow k8s clusters, map clusters to container images running on the clusters, identify the business risk, the application intent and the application ownership is an essential first step.
- Vulnerability Management: Perform vulnerability checks of container images in repositories, K8s components (like Master-Node, runtime, etcd etc) and k8s cluster configuration as the second step. This makes sure basic guardrails are in place independent of the cluster where the containers are running.
- Run time: The third step is to get some basic runtime protection as container clusters run. Mechanisms where sidecar or daemon set containers are injected into container nodes to help identify and protect the containers are a good third step.
- Remediate issues: In K8s environments, DevOps and Engineering team fixes the security issues and not the security teams. Making sure security teams are not just finding issues, but actually running workflows to reduce business risk by getting issues fixed is critical. The number of security issues in the cloud is very high, hence high-risk issues (i.e., internet exposed vulnerability) need to be prioritized and remediated first.
VISHWAS MANRAL: Businesses are moving from Cloud adoption to maturing cloud practices to enable business alignment. Governance and security are Cloud practices businesses are now focusing on. They key trends in Cloud security are:
- Shifting Security Up: Cloud advances fast and knowing every intricacy of cloud services and writing policies for the same is hard for Cloud security teams. Security is now moving up looking at intent instead of focusing on low-level policies.
- Outcome versus Output: While the first generation of Cloud security focused on identifying security issues, the next generation of cloud security is working towards an outcome of reducing risk and not just output security issues.
- Sophisticated threats: With more critical applications and data now running in the cloud, sophisticated adversaries are now targeting the Cloud. Cloud security needs to mature to not just identify and protect against issues, but to detect and respond to threats and protect against sophisticated adversaries, including nation-state actors.
In the spotlight