Cloud Security from First Principles (repost)
A lot has changed even in the past 3 years
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve been traveling, but this is a repost from the archives with some new thoughts below!
Original post in 2020
As many of you know, I’ve been thinking a lot about cloud security, and what it really means. Recently, I’ve been trying to think about it from first principles because managing security in a public or multi-cloud world requires a fundamental paradigm shift. I’ve talked about how the public cloud is changing IT and security, specifically, how the public cloud is more session-based and has elasticity and better IT management.
What I learned from my PhD is that confusing problems should start from first principles. Forget about Kubernetes, IT teams, etc. What is a system? I think of a system as having two fundamental things: endpoints and networks. In a traditional IT system, endpoints are servers and laptops. Networks are the wide-area network (WAN), the corporate network, and the devices managing this.
In a public cloud setting, this is more nebulous. There isn’t a corporate network you can trust (however, SaaS applications already started to break that down), and you have little to no control over that network. The notion of a “server” has been abstracted away as cloud providers give you access to an instance based on an ID without telling you server specifics. As you see, in some ways, this is nice. SLAs and sharing infrastructure give you great elasticity, and you don’t have to manage the details of the servers and network. However, you can’t easily customize the servers and network.
From a network standpoint, you have limited traffic visibility of traffic — only what the cloud providers give you. At this point, it’s just easiest to assume that all traffic is malicious (“zero-trust”). This is nice because you don’t have to worry about insider threats separately from external ones. Also, there can be a reduced focus on network security. However, this paradigm places more burden on the endpoints.
Endpoints can no longer rely on having a private network with trusted traffic. There is no such thing as an endpoint that doesn’t interact with the external world. Consequently, endpoints need to be “hardened” in some way. They have to have strong identities and authorization policies. Also, the network cannot enforce data policies, so endpoints have to track and enforce data policies. It’s no surprise that cloud-native companies have focused so much on identity and data governance.
Up to this point, I haven’t even mentioned the use of Kubernetes, which takes advantage of the elasticity of the cloud. Istio and Envoy aim to solve some of the problems above for Kubernetes traffic, but what about non-Kubernetes traffic?
Here are some other questions on my mind:
How does privileged access management change?
Asset management is going to be a bigger issue because the cloud makes creating assets like data and endpoints easier. How should we do asset management in the public cloud world? What should we classify as assets, and what should we track?
Identities are becoming more important, but how does the notion of identity change and how do they work in a hybrid and multi-cloud world?
How do these changes affect the structure of security programs? How does incident response work? The concept of EDR arose out of a need for incident response due to endpoints leaving the corporate network and being infected. With a great focus on endpoints, what other endpoint management tools will be necessary?
This is only the beginning of the paradigm switch. We are already seeing fundamental changes in the way we think about security. As cloud usage evolves, there will inevitably be more changes.
New learnings in 2021
Above was my unedited post from last year. After reading it myself, I have some additional thoughts/comments as well as relevant data I’ve learned since:
Using SaaS is the first step of a company’s journey from on-prem to cloud infrastructure. It allows a company to see what the cloud is like without committing to moving any infrastructure.
SaaS security/management is a big concern. As a result, it exposes how identity and data management work in the cloud. It’s very different! A company essentially loses control over the data in a SaaS application, making tasks like access control and data loss protection more difficult.
Identity is more important than ever. Organizations want to eliminate VPNs for accessing SaaS and cloud infrastructure because it doesn’t make a ton of sense. Why VPN to something outside of your corporate network? It’s additional overhead.
Developer love is important. It doesn’t mean you need a bottoms-up motion, but DevOps’s approval is important for security organizations as they try to manage risk and problems pre-deployment. Just look at the recent acquisitions like Bridgecrew and Auth0.
Cloud maturity will unravel new problems. As organizations use the cloud more, they will discover new issues. The question is what they will be. Cloud security posture management (CSPM) and cloud workload protection platform (CWPP) have become mature categories. New categories like cloud identity and entitlements management (CIEM) are coming out. But what is next?
Thoughts in 2022
It’s interesting how cloud security has evolved in the last 2-3 years during the pandemic. Here are my thoughts a year later:
Companies are feeling a lot more pressure to move to the cloud and trying to emulate cloud-first companies. This is causing security companies to shift their strategy toward cloud-first companies and understand how to help their customers make the transition.
Cloud-native application protection platform (CNAPP) has appeared and now includes CSPM, CWPP, and CIEM as part of the platform, resulting in long-awaited consolidation.
Larger focus on the developer and DevOps, realizing that most problems are fundamentally solved at the developer-level
Large “spectrum” of security teams. There are teams that primarily have security operations. Others are shifting toward purely security engineering with everything in the middle. This makes GTM harder for security companies who are forced to choose.
We need more security engineering focused tools, and we’re seeing companies, such as Palo Alto Networks, double down on their current GTM (security operations team) rather than trying new GTM.