Demystifying Cloud Security

Demystifying Cloud Security

The Cybersecurity Midwest Summit 2022, hosted by CDO Magazine and ComSpark, sheds light on numerous organizational cybersecurity issues in a cloud-first era. In the session “Demystifying Cloud Security," the following speakers highlight security risks and offer solutions to mitigate the risks.

  • Erik Santos, Network and Security Architect, Advizex
  • Eric French, Cyber Security Engineer, Smartsheet
  • Michael C. Redmond, Deputy CISO, Metro Louisville

Matt Wenger, Advisory Services Delivery Advizex, moderates the session.

As the session begins, Redmond says people do not check on the escalation of privileges, nor do they monitor the need for them. The next problem, she says, is the need for more tools because it is challenging to do everything manually. “The organizations are not doing mitigation and detection properly. They are not going through defending, and if they are doing that, they forget to eradicate,” says Redmond.

Next, French discusses the building blocks context. The first building block is the container holding the application code that needs frequent scanning. He terms cloud resources as the second building block, noting that “Making sure that those resources are configured properly is the key.”

Networking is the third building block, continues French. “Because it is in the cloud, it is inherently public-facing, and it is going to have holes all over it, allowing ingress and egress. You need to monitor and control that,” he adds.

From another perspective, Santos proposes asking customers what the cloud means to them and where they stand in the cloud journey. “Once we have a good understanding of that, we can provide recommendations and give them advice as to what we are seeing from other vendors and what threat actors are doing to attack them in those different environments,” he states.

Like prior speakers, Santos considers visibility and misconfigurations as the most significant threats.

Moving forward, Redmond insists SaaS organizations be cloud certified and have SOC 2. She then highlights the need to physically audit while using Platform-as-a-Service to understand where the data resides. Doing Infrastructure as a service, without the right technology and tools in place, is like cooking a gourmet meal with the help of a cookbook, says Redmond.

French enlists scanning before and after deployment as a way to mitigate risk. He states that metadata defines all the cloud resources and suggests scanning the metadata configuration.

“As a security team, it is our responsibility to set the policy and say what is acceptable or not,” notes French. He recommends organizations look into CIS benchmarks while setting policies.

The panelist briefly mentions Microsoft Azure’s use of a firewall manager in front of all ingress and egress, enabling traffic control and monitoring.

Discussing visibility as a risk, Santos highlights the XDR or Extended detection and response as a new approach that provides holistic solutions against cyber-attacks. He also mentions the critical need for cloud workload protection and governance compliance tools.

Next, the decision to migrate to the cloud or stay on-premise varies from company to company, says Santos. The determining factors include the cost of migration, processes to modernize legacy technologies, and cloud awareness training.

Seconding him, Redmond suggests having a data classification program before spending money on the cloud. She adds an asset management program to understand the protection level and do a risk assessment analysis.

According to Redmond, ISO 27005 is a tool for risk assessment.

From the data perspective, French says, “At this point in cloud maturity and the different solutions to secure it, like tokenization, there is almost no data that cannot be in the cloud.”

The one thing companies like to keep on the premise is the encryption keys, he shares. “The cloud is awesome for innovation, availability, and redundancy, but you are not going to save money,” French reckons.

Finally, he encourages making intelligent decisions about the current organization and not shifting everything to the cloud.

Watch other Cybersecurity Midwest Summit 2022 sessions HERE

Related Stories

No stories found.
CDO Magazine
www.cdomagazine.tech