This is part 2 of the blogseries “Elevating Cloud Security: Strengthening Your Defense in an Evolving Landscape” In this part we will discuss the ‘people’ factor in Cloud security.
In the pre-cloud era, security was all about network. All your IT was in a datacenter with one line (maybe two) out to the big bad outside world. This is called the ‘Network perimeter’. You guard those lines going in and out your datacenter by implementing measures as firewall, intrusion detection and prevention systems and VPN.
Identity = People
As cloud adoption has increased and remote work has become more prevalent, the traditional network perimeter has become less defined. Cloud services, such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS), enable users to access resources from anywhere in the world, using a variety of devices and networks. This dynamic and distributed nature of cloud computing challenges the effectiveness of network-based security solutions.
In response to these challenges, organizations have started to shift their security focus to identity-based security. Identity-based security revolves around verifying and managing the identities of individuals, devices, and services that interact with cloud resources. So the priority within cloud security has shifted from firewalls to the identities of people with laptops working with apps.
All those identities of people are suddenly in the frontline of cyberattacks, probably without proper training. It is absolutely important to make these people aware that they are in the frontline so the security training they receive will continue to resonate.
Shared responsibility model
When it comes to discussing shared (security) responsibilities in a cloud context, you've likely come across the shared responsibility model. This model underscores the importance of collaborative efforts needed to uphold a secure cloud environment. While the cloud provider takes on specific security responsibilities, customers must also grasp and handle their own security requirements. This involves implementing proper configurations, adhering to best practices, and employing additional security measures as necessary to safeguard their data and systems within the cloud environment. You can find more information on the specific models of Azure and AWS here and here.
However, within the company, another shared responsibility model exists. In most cloud deployments, a cloud center of excellence (or a similar entity) is established to provide a designated cloud landing zone for DevOps teams to build their applications, adhering to the DevOps principle of 'you build it, you run it.' From my perspective as a security professional, this approach represents the optimal way to operate a cloud environment. Nevertheless, a significant challenge arises as the DevOps teams now bear partial responsibility for security, despite not being security professionals like those within the cloud provider or landing zone team. Consequently, considerable effort must be invested in equipping these teams with the necessary capabilities to fulfill their security obligations. These capabilities encompass, among others:
- Delegation of responsibilities
- Delegation of trust
- Provision of human-readable security insights
- Security training
- Security tooling tailored for non-professional security personnel
With the exception of tooling, all these capabilities share a people-centric nature, underscoring the importance of security professionals possessing strong interpersonal skills to empower DevOps teams in carrying out their responsibilities effectively.
In part 3 of this blogseries we will discuss ‘Security Tooling’ in more detail, and how CloudNation can provide that tooling with a people centric approach in its core.
Shifts in roles and responsibilities
Regarding the shift from network perimeter to identity-based security and the shift to a new shared security responsibility, it is crucial to acknowledge that people are at the core. These people must protect their identities against malicious actors, while also shouldering newfound security responsibilities. As security professionals, it becomes our responsibility to enable and empower these individuals, equipping them with the knowledge and capabilities to effectively fulfill their new roles and responsibilities.
I hope this blog-series will provide you with valuable knowledge and expertise in the ever expanding realm of cloud security and serves as a good starting point to safeguard your organization's digital assets. Cloud security is not easy but it shouldn’t be to hard when you know where to start and what to do! In the upcoming segment of this four-part blog series, we will delve into the emerging concept of Cloud Security Posture Management (CSPM) and its instrumental role in mitigating security breaches.
Ready to explore new frontiers in cloud security?
Contact us today to leverage our expertise and discuss how we can assist in elevating your organization's security posture. Together, we can navigate the complexities of cloud security and ensure your business remains resilient in the face of emerging challenges