-
Cloud security spans multiple roles within an organization, making it hard to say who exactly is responsible for it
-
Threat actors are increasingly targeting the cloud, making it more important than ever to know who is in charge of security
-
Tools and designated roles can help organizations sort out who is responsible for cloud security
It seems like a question that should have a straightforward answer: “Who is responsible for cloud security within your organization?” But executives from Google Cloud and Cymulate told Silverlinings that oftentimes there aren’t clear lines of ownership, and they warned that could become a huge problem as more sensitive data and applications move to the cloud.
Rob Sadowski, trust and security product lead at Google Cloud, said that in some ways cloud security is “everyone’s job,” or at least there are multiple stakeholders who should be in the loop. That’s because cloud security encompasses work done by an organization’s cloud administrators, its overall security team, IT architects and software developers, among others.
When done right, this input loop can provide a holistic view of security requirements and policies. But when done poorly “no one’s quite sure who is responsible and there’s a lot of finger pointing,” Sadowski said.
Generally speaking, David Kellerman, CISSP and Field CTO at security software company Cymulate, said an organization’s security teams or CISOs are responsible for overall security guidance. The gap when it comes to cloud is “who will be the one to implement the guidelines.”
Further complicating matters, many organizations are operating in multi-cloud environments. And each of those clouds has different approaches to and tools for security, Kellerman added.
“Companies don’t completely understand the cloud security shared responsibility model and what the organization owns in each service,” he said.
One throat to choke
Sadowski explained that cloud-native application protection platforms (CNAPPs) emerged to solve the latter problem. That is, they were built to offer a simple way for organizations to manage all the different domains of and tools for cloud security across their on premises and multi-cloud environments.
Those domains include things like identity, access and resource management, configuration hygiene, monitoring and logging, and workload protection, Sadowski and Kellerman said.
But Sadowski noted the first generation of CNAPPs had some critical shortcomings. For starters, they didn’t come with mature capabilities for threat detection or ways to prioritize which misconfigurations to fix among those found. But more than anything, the problem with early CNAPPs is that they were generally disconnected from an organization’s other security operations.
“CNAPPs solved the 'too many tools problem' but didn’t solve the cloud security and risk problems,” Sadowski said.
Rising risks
Kellerman noted that when no one person within an organization owns cloud security “there’s a big risk that it will be neglected and only partially controlled by local initiatives of the service owner. Neglect of cloud security may impose risk to the organization’s cloud environments, services and, eventually, the business.”
And those risks are only growing, Sadowski said. He noted attacks are increasingly targeting cloud infrastructure (more specifically, through misconfigurations that give them a way in) and include threats from state-sponsored actors. That’s a huge issue given organizations are starting to move more sensitive data and applications to the cloud, driven in part by a desire to train artificial intelligence models, he said.
With no one in charge of cloud security, companies won’t be able to respond effectively when attacks do happen.
So, what’s to be done?
Kellerman said “organizations using the cloud should treat their cloud environments with at least the same security awareness and caution as they do with on-premises – if not more.”
Sadowski added it’s important to establish clear lines of responsibility. One way to do that is using tools capable of codifying who is responsible for what and driving actions by the right parties.
Another is to just...appoint someone.
Kellerman noted “We are starting to see more and more organizations add the role of ‘Cloud Security Engineer’ or ‘DevSecOps’ to their teams, which are probably the ideal positions for the individual or team owning cloud security implementation.”
Asked whether AI will help or hurt cloud security, Sadowski said “on balance, AI is going to be much more advantageous to defenders than attackers.”
The key, he concluded, is leveraging it to make less experienced workers more effective and allow more experienced defenders spend their precious time tackling the biggest risks.