“Organizations should start with visibility and discovery to find out which users have access to applications and what data they can access. They must get into the mindset of logging everything to go beyond visibility and allow the introduction of controls around applications,” says Richard Walters, CTO, Censornet, in an exclusive interview with ITSecurityWire.
ITSW Bureau: What are the struggles enterprises encounter while securing their cloud environments?
Richard Walters: One major challenge is caused by the sheer number and diversity of cloud platforms available. What enterprises need to do to secure a cloud storage platform like OneDrive or Dropbox is very different to the tactics needed to secure infrastructure-as-a-service applications, for instance. Organizations also use several different clouds, including public, private and hybrid clouds. This makes segmentation difficult and micro-segmentation even harder.
Gartner now talks about five segments within the cloud security space. Depending on the organization, enterprise leaders will need a mix of elements from some or all of these segments. The first is a Cloud Access Security Broker (CASB), which Gartner defines as “security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed”.
There are also Cloud Workload Protection Platforms (CWPP), which specifically secure single platforms such as AWS or Azure. Cloud Security Posture Management is the third segment within cloud security management and involves continuously scanning cloud objects including containers to see if those objects are compliant with policy or whether there is any data stored in those containers that should not be there, meaning there is an element of data security in CSPM.
The last two are more recent micro-segments. Cloud Infrastructure Entitlement Management is about introducing a lighter touch identity that streamlines least-privilege access controls across distributed environments. The most recent addition is Cloud-Native Application Protection Platforms (CNAPP) which are starting to incorporate application and data context in a manner that’s almost a convergence of CSPM and CWPP to create a new category of product.
Alongside the complexity and diversity of cloud platforms, there is a race to home working which means the old VPN model is out-of-date. The traditional perimeter is gone, replaced by context and identity. Today, enterprises are shifting towards a concept of Zero Trust and moving away from the idea that they connect to an application that is visible on the internet and then authenticates. Now, the new model involves authenticating to an intermediary layer – the Zero-Trust Network Access Controller (ZTNA) solution before connecting to applications hidden from the internet that are not accessible by attackers and criminal actors.
With a lot of choices and an ever-changing environment, cloud security is a complex and ever-changing domain.
ITSW Bureau: What steps can CISOs take to secure the assets of the enterprise as well as provide greater security visibility?
Richard Walters: It is about understanding where the data lives and why it is there as well as assessing its acceptable use and movement to support approved business workflows. CISOs will have to adopt whatever cloud security management tools are needed, with this decision dictated by the cloud application mix the organization uses. They are almost certainly going to require CASB for a start, but could also use CWPP, CSPM or other combinations of solutions.
Organizations should start with visibility and discovery to find out which users have access to applications and what data they can access. They must get into the mindset of logging everything to go beyond visibility and allow the introduction of controls around applications. If an application can upload, download, send or receive files then unauthorized use poses a clear risk of data loss.
Once enterprises have boosted visibility and started to log everything, it would be wise to integrate CASB with identity to ensure all application access is over an instrumented, protected and secure channel.
After incorporating CASB with Identity-as-a-Service (IDaaS), the next logical place to go is to consider context – and that is likely to start with Multi-Factor Authentication (MFA). Most MFA solutions are adaptive or context-aware, recognizing a user’s location, geolocation and what device they are using, which are good examples of context.
Then comes data security, which could involve examining information labels or extending CASB rules with policies that are data-aware, looking at the contents of a file when a user is trying to upload to OneDrive, SharePoint or another platform.
User behavior over time is also something that CISOs should be aware of. Everyone is getting strafed with account takeover attacks right now which are hard to defend against. If enterprises do not start looking at the behavioral context, it is hard to determine whether activity around an email account, for instance, is legitimate. Context and identity of users, as well as other entities such as devices, or mailboxes, or cloud objects, is something CISOs should be looking at.
ITSW Bureau: How can enterprises integrate advanced technologies into their traditional security stack without disrupting their business operations?
Richard Walters: Solutions can be layered on. It is about good planning to ensure that enterprises do not make technical decisions today which prevent them from heading down a particular path or journey in the future. They should map out their journey to where they are heading: Gartner’s Secure Access Service Edge (SASE).
The first stop on this journey is going to be ZTNA followed by wider adoption of Zero Trust not just for network access but also for other aspects of an activity. On the road to SASE, there will be things they will and will not do to speed that journey up. It is about making the right decisions now to stop that journey from being more difficult or convoluted than it needs to be.
ITSW Bureau: What trends do you think will transform cloud security in 2021 and beyond?
Richard Walters: This industry has spent decades fixated on manually responding to an attack or compromise. That has to change. They need to move towards automated prevention. It is about thinking differently to move away from sitting and waiting for an alert and then manually responding and investigating.
They need to adopt a posture that has elements of adaptability built-in and automated response
In the long term, automated security solutions tackle repetitive low-level attacks that hit all organizations day in and day out, from phishing emails to reconnaissance at the traditional perimeter. These things don’t need human intervention to stop or prevent.
Richard Walters is Chief Technology Officer and responsible for Censornet’s current and future integrated set of cloud-based security services. He was previously Senior Vice President of Security Products at cloud services provider Intermedia, Inc. and before that Co-founder and Chief Technology Officer at SaaSID Limited, a UK-based IDaaS and CASB vendor, which was acquired by Intermedia in 2013.
Richard has 30 years of experience in the IT industry, starting with blue-chip vendors such as Digital, Dell, and Panasonic. With a strong technical background, dating back to VAX VMS and Unix System V, and over 15 years in C-level positions focused on information security, he has in-depth knowledge of operating system and database security, intrusion detection systems, email, and web security, identity, and access management, cloud and mobile security.
Richard Walters, Chief Technology Officer, Censornet