5 Hard Truths About the State of Cloud Security 2024

While cloud security has certainly come a long way since the wild west days of early cloud adoption, the truth is that there's a long way to go before most organizations today have truly matured their cloud security practices. And this is costing organizations tremendously in terms of security incidents.

A Vanson Bourne study earlier this year showed that almost half of the breaches suffered by organizations in the past year originated in the cloud. That same study found that the average organization lost almost $4.1 million to cloud breaches in the last year.

Dark Reading recently caught up with the godfather of zero trust security, John Kindervag, to discuss the state of cloud security. When he was an analyst at Forrester Research, Kindervag helped conceptualize and popularize the zero-trust security model. Now he's chief evangelist at Illumio, where amid his outreach he's still very much a proponent of zero trust, explaining that it is a key way to redesign security in the cloud era. According to Kindervag, organizations must deal with the following hard truths in order to achieve success.

1. You Don't Become More Secure Just by Going to the Cloud

One of the biggest myths about the cloud is that it is innately more secure than most on-premises environments, Kindervag says.

"There's a fundamental misunderstanding of the cloud that somehow there's more security natively built into it, that you're more secure by going to the cloud just by the act of going to the cloud," he says.

The problem is that while hyperscale cloud providers may be very good at protecting infrastructure, the control and responsibility they have over their customers' security posture is very limited.

"A lot of people think they're outsourcing security to the cloud provider. They think they're transferring the risk," Kindervag says. "In cybersecurity, you can never transfer the risk. If you are the custodian of that data, you are always the custodian of the data, no matter who's holding it for you."

This is why Kindervag is not a big fan of the oft-repeated phrase "shared responsibility," which he says makes it sound like there's a 50-50 division of labor and effort. He prefers the phrase "uneven handshake," which was coined by James Staten, his former colleague at Forrester.

"The fundamental problem is that people think that there's a shared responsibility model, and there's an uneven handshake instead," he says.

2. Native Security Controls Are Hard to Manage in a Hybrid World

Meanwhile, let's talk about those improved native cloud security controls that providers have built up over the past decade. While many providers have done a good job offering customers more control over their workloads, identities, and visibility, that quality is inconsistent. As Kindervag says, "Some of them are good, some of them aren't." The real problem across all of them is that they're hard to manage out in the real world, beyond the isolation of a single provider's environment.

"It takes a lot of people to do it, and they're different in every single cloud. I think every company that I've talked to in the past five years has a multicloud and a hybrid model, both happening at the same time," he says. "Hybrid being, 'I'm using my on-premises stuff and clouds, and I'm using multiple clouds, and I may be using multiple clouds to deliver access to different microservices for a single application.' The only way that you can solve this problem is to have a security control that can be managed across all the multiple clouds."

This is one of the big factors driving discussions about moving zero trust to the cloud, he says.

"Zero trust works no matter where you put data or assets" he says. "It could be in the cloud. It could be on-premises. It could be on an endpoint."

3. Identity Won't Save Your Cloud

With so much emphasis placed on cloud identity management and disproportionate attention on the identity component in zero trust, it's important for organizations to understand that identity is only part of a well-balanced breakfast for zero trust in the cloud.

"So much of the zero trust narrative is about identity, identity, identity," Kindervag says. "Identity is important, but we consume identity in policy in zero trust. It's not the end-all, be-all. It doesn't solve all the problems."

What Kindervag means is that with a zero-trust model, credentials don't automatically give users access to anything under the sun within a given cloud or network. The policy limits exactly what and when access is given to specific assets. Kindervag has been a longtime proponent for segmentation — of networks, workloads, assets, data — long before he began mapping out the zero-trust model. As he explains, the heart of defining zero-trust access by policy is divvying up things into "protect surfaces," since the risk level of different kinds of users accessing each protect surface will define the policies that will be attached to any given credential.

"That's my mission, to get people to focus on what they need to protect, put that important stuff into various protect surfaces, like your PCI credit card database should be in its own protect surface. Your HR database should be in its own protect surface. Your HMI for your IoT system or OT system should be in its own protect surface," he says. "When we break up the problem into these small bite-sized chunks, we solve them one chunk at a time, and we do them one after another. It makes it much more scalable and doable."

4. Too Many Firms Don't Know What They're Trying to Protect

As organizations decide how to segment their protect surfaces in the cloud, they first need to clearly define what it is that they're trying to protect. This is crucial because each asset or system or process will carry its own unique risk, and that will determine the policies for access and the hardening around it. The joke is that you wouldn't build a $1 million vault to house a few hundred pennies. The cloud equivalent to that would be putting tons of protection around a cloud asset that's isolated from sensitive systems and doesn't house sensitive information.

Kindervag says it is incredibly common for organizations to not have a clear idea of what they're protecting in the cloud or beyond. In fact, most organizations today don't even necessarily have a clear idea of what is in the cloud or what connects to the cloud, let alone what needs protecting. For example, a Cloud Security Alliance study shows that only 23% of organizations have full visibility into cloud environments. And the Illumio study from earlier this year shows that 46% of organizations don't have full visibility into the connectivity of their cloud services.

"People don't think about what they're actually trying to accomplish, what they're trying to protect," Kindervag says. This is a fundamental issue that causes companies to waste a lot of security money without appropriately setting up protection in the process.

"They'll come to me and say, 'Zero trust isn't working,' and I'll ask, 'Well, what are you trying to protect?' and they'll say, 'I haven't thought about that yet,' and my answer is, 'Well, then, you're not even close to beginning the process of zero trust,'" he explains.

5. Cloud Native Development Incentives Are Out of Whack

DevOps practices and cloud native development have been greatly enhanced through the speed, scalability, and flexibility afforded them by cloud platforms and tooling. When security is appropriately layered into that mix, good things can happen. But Kindervag says that most development organizations are not properly incentivized to make that happen — which means that cloud infrastructure and all of the applications that rest on it are put at risk in the process.

"I like to say that the DevOps app people are the Ricky Bobbys of IT. They just want to go fast," Kindervag says. "I remember talking to the head of development at a company who eventually got breached, and I was asking him what he was doing about security. And he said, 'Nothing, I don't care about security.' I asked, 'How can you not care about security?' and he says, 'Because I don't have a KPI for it. My KPI says I have to do five pushes a day in my team, and if I don't do that, I don't get a bonus.'"

Kindervag says this is an illustration of one of the big problems, not just in AppSec, but in moving to zero trust for the cloud and beyond. Too many organizations simply do not have the right incentive structures to make it happen — and, in fact, many have perverse incentives that end up encouraging insecure practice.

This is why he's an advocate for building up zero-trust centers of excellence within enterprises that include not just technologists but also business leadership in the planning, design, and ongoing decision-making processes. When these cross-functional teams meet, he says, he's seen "incentive structures change in real time" when a powerful business executive steps forward to say the organization is going to move in that direction.

"The most successful zero-trust initiatives were the ones where business leaders got involved," Kindervag says. "I had one in a manufacturing company where the executive vice president — one of the top leaders of the company — became a champion for zero-trust transformation for the manufacturing environment. That went very smoothly because there were no inhibitors."