While cloud security has certainly come a long way since the wild days of cloud adoption, the truth is that there is still a long way to go before most organizations today have truly matured their cloud security practices. And this costs organizations enormously in terms of security incidents.
A study by Vanson Bourne Earlier this year it emerged that nearly half of the breaches suffered by organizations in the past year originated in the cloud. The same study found that the average organization lost nearly $4.1 million due to cloud breaches in the past year.
Dark Reading recently sat down with the godfather of Zero Trust security, John Kindervag, to discuss the state of cloud security today. While an analyst at Forrester Research, Kindervag helped conceptualize and popularize the Zero Trust security model. He is now chief evangelist at Illumio, where despite his commitment he is still a big advocate of zero trust, explaining that it is a fundamental way to redesign security in the cloud era. According to Kindervag, organizations must face the following hard truths to achieve success.
1. You don’t become more secure by simply moving to the cloud
One of the biggest myths about the cloud today is that it is inherently more secure than most on-premise environments, Kindervag says.
“There’s a fundamental misconception about the cloud that somehow there’s more security built in natively, that you’re more secure by going to the cloud simply by the simple act of going to the cloud,” he says.
The problem is that while hyperscale cloud providers may be very good at protecting infrastructure, the control and responsibility they have over their customers’ security strategy is very limited.
“Many people think they’re outsourcing security to the cloud provider. They think they’re transferring the risk,” he says. “In cybersecurity, you can never transfer risk. If you are the custodian of that data, you will always be the custodian of the data, regardless of who holds it for you.”
This is why Kindervag is not a big fan of the oft-repeated phrase “shared responsibility“, which he says makes it seem like there is a 50-50 split of work and effort. He prefers the phrase “irregular handshake,” coined by his former Forrester colleague, James Staten.
“That’s the fundamental problem, is that people think there’s a shared responsibility model, and instead there’s an uneven handshake,” he says.
2. Native security controls are difficult to manage in a hybrid world
In the meantime, let’s talk about those improved cloud-native security controls that vendors have developed over the past decade. While many vendors have done a good job offering customers more control over workloads, identities, and visibility, that quality is inconsistent. As Kindervag says, “Some of them are good, some of them are not.” The real problem with all of these services is that they are difficult to manage in the real world, beyond the isolation of a single vendor’s environment.
“It takes a lot of people to do that, and they’re different in every single cloud. I think every company I’ve talked to in the last five years has a multicloud model and a hybrid model, both done at the same time,” he says. “Being hybrid: ‘I’m using my own content and on-premises clouds and I’m using multiple clouds and I could use multiple clouds to provide access to different microservices for a single application.’ The only way to solve this problem is to have a security control that can be managed across all clouds.”
This is one of the big factors driving discussions about moving Zero Trust to the cloud, he says.
“Zero Trust works no matter where you put data or resources. It could be in the cloud. It could be on-premise. It could be on an endpoint,” he says.
3. Identity won’t save your cloud
With so much emphasis placed on cloud identity management today and a disproportionate focus on the identity component in Zero Trust, it’s important that organizations understand that identity is only one part of a well-balanced Zero Trust breakfast in the cloud.
“So much of the Zero Trust narrative is about identity, identity, identity,” Kindervag says. “Identity is important, but we consume it in zero trust politics. It’s not the end, in short. It doesn’t solve all the problems.”
What Kindervag means is that with a zero trust model, credentials don’t automatically give users access to everything under the sun within a given cloud or network. The policy limits exactly what and when access is granted to specific resources. Kindervag has been a long-time advocate of segmentation – of networks, workloads, resources, data – long before he began outlining the Zero Trust model. As he explains, the crux of defining Zero Trust access by policy is to divide things into “protected surfaces,” since the risk level of the different types of users accessing each protected surface will define the policies that will be attached to a certain credential.
“This is my mission: get people to focus on what they need to protect, put important things on various protected surfaces, for example the PCI credit card database should be in its own protected surface. The HR database should be in its own protected surface. The HMI for the IoT system or OT system should be in its own protected surface,” he says. “When we break the problem down into small parts, we solve them one at a time, and we solve them one after the other. That makes the whole thing much more scalable and doable.”
4. Too many companies don’t know what they’re trying to protect
When organizations decide how to segment their protected surfaces in the cloud, they must first clearly define what they are trying to protect. This is critical because each asset, system or process will carry with it its own unique risk, and this will determine the policies for access and enforcement around it. The joke is, you wouldn’t build a $1 million vault to house a few hundred pennies. The cloud equivalent would put a lot of protection around a cloud resource that is isolated from sensitive systems and does not host sensitive information.
Kindervag says it’s incredibly common for organizations to not have a clear idea of what they’re protecting in the cloud or beyond. In fact, most organizations today don’t even necessarily have a clear idea of what’s in the cloud or what connects to the cloud, let alone what needs protecting. For example, a study by the Cloud Security Alliance shows that only 23% of organizations have full visibility into cloud environments. And the Illumio study from earlier this year shows that 46% of organizations do not have full visibility into their organization’s cloud service connectivity.
“People don’t think about what they’re actually trying to accomplish, what they’re trying to protect,” he says. This is a fundamental issue that leads companies to waste a lot of money on security without properly setting up security in the process, explains Kindervag. “They’ll come to me and say ‘Zero Trust doesn’t work,’ and I’ll ask, ‘Well, what are you trying to protect?’ and they’ll say, “I haven’t thought about it yet,” and my response is, “Well, then you’re not even close to begin the zero trust process.””
5. The incentives for cloud-native development are out of control
DevOps practices and cloud-native development have been greatly improved thanks to the speed, scalability, and flexibility offered by cloud platforms and tools. When security is properly integrated into this mix, good things can happen. But Kindervag says most development organizations aren’t adequately incentivized to make this happen, meaning cloud infrastructure and all the applications that rely on it are put at risk in the process.
“I like to say that DevOps app people are the Ricky Bobbys of IT. They just want to go fast. I remember talking to the head of development at a company that ended up getting hacked and I was asking him what he was doing about it. security. And he said, ‘Nothing, I don’t care about security,'” Kindervag says. “I asked, ‘How can you not worry about safety?’ and he says ‘Because I don’t have a KPI for this. My KPI says I have to do five pushes a day on my team, and if I don’t do that, I don’t get a bonus.'”
Kindervag says this is an example of one of the big problems, not just in AppSec, but in the move to zero trust for the cloud and beyond. Too many organizations simply don’t have the right incentive structures to make it happen, and in fact many have perverse incentives that end up encouraging unsafe practices.
This is why he is an advocate for creating Zero Trust centers of excellence within enterprises that include not only technical but also business leadership in ongoing planning, design and decision-making. When these cross-functional teams come together, he says, he has seen “incentive structures change in real time” when a powerful corporate executive steps forward to say the organization will move in that direction.
“The most successful Zero Trust initiatives have been the ones where business leaders have been involved,” Kindervag says. “I had one in a manufacturing company where the executive vice president, one of the top leaders in the company, became an advocate for Zero Trust transformation for the manufacturing environment. Everything went very well because there were no inhibitors. “