Frankly Speaking 5/18/21 - Cloud Security from First Principles (revisited)
It seems like things are finally getting back to some normality (at least for vaccinated people). However, I’ve found it difficult to start doing in-person meetings again. I’ve limited them to the mornings (before my Zoom meetings start), lunch, and after my Zoom meetings. I think it’s easier to schedule that way and also keep my efficiency with Zoom calls. I’ve been also meeting people more on the weekend, which is nice, because I haven’t started to have plans. One thing I won’t miss is all the travel! I will reduce my frequency of travel going forward. I am looking forward to fewer but longer trips.
Anyway, quick shoutout to my portfolio company Soluble for launching a Github app, iacbot, which makes it super easy for you to do security assessments on Terraform, CloudFormation, and Kubernetes. No call with a salesperson required! Go install it and play around.
LET’S BE FRANK
I’m trying something different this week. It’s also been a busy week, so it’s been hard to have time to think of new talent. I am re-posting my most popular newsletter that was featured on the front page of HackerNews. It’s about cloud security from first principles. It’s been almost exactly a year since I posted it, and I’m going to add a bit more about my learnings below. Let me know your thoughts on this format!
Previous post
As many of you know, I’ve been thinking a lot about cloud security, and what it really means. Recently, I’ve been trying to think about it from first principles because managing security in a public or multi-cloud world requires a fundamental paradigm shift. I’ve talked about how the public cloud is changing IT and security, specifically, how the public cloud is more session-based and has elasticity and better IT management.
What I learned from my PhD is that confusing problems should start from first principles. Forget about Kubernetes, IT teams, etc. What is a system? I think of a system as having two fundamental things: endpoints and networks. In a traditional IT system, endpoints are servers and laptops. Networks are the wide-area network (WAN), the corporate network, and the devices managing this.
In a public cloud setting, this is more nebulous. There isn’t a corporate network you can trust (however, SaaS applications already started to break that down), and you have little to no control over that network. The notion of a “server” has been abstracted away as cloud providers give you access to an instance based on an ID without telling you server specifics. As you see, in some ways, this is nice. SLAs and sharing infrastructure give you great elasticity, and you don’t have to manage the details of the servers and network. However, you can’t easily customize the servers and network.
From a network standpoint, you have limited traffic visibility of traffic — only what the cloud providers give you. At this point, it’s just easiest to assume that all traffic is malicious (“zero-trust”). This is nice because you don’t have to worry about insider threats separately from external ones. Also, there can be a reduced focus on network security. However, this paradigm places more burden on the endpoints.
Endpoints can no longer rely on having a private network with trusted traffic. There is no such thing as an endpoint that doesn’t interact with the external world. Consequently, endpoints need to be “hardened” in some way. They have to have strong identities and authorization policies. Also, the network cannot enforce data policies, so endpoints have to track and enforce data policies. It’s no surprise that cloud-native companies have focused so much on identity and data governance.
Up to this point, I haven’t even mentioned the use of Kubernetes, which takes advantage of the elasticity of the cloud. Istio and Envoy aim to solve some of the problems above for Kubernetes traffic, but what about non-Kubernetes traffic?
Here are some other questions on my mind:
How does privileged access management change?
Asset management is going to be a bigger issue because the cloud makes creating assets like data and endpoints easier. How should we do asset management in the public cloud world? What should we classify as assets, and what should we track?
Identities are becoming more important, but how does the notion of identity change and how do they work in a hybrid and multi-cloud world?
How do these changes affect the structure of security programs? How does incident response work? The concept of EDR rose out of a need for incident response due to endpoints leaving the corporate network and being infected. With a great focus on endpoints, what other endpoint management tools will be necessary?
This is only the beginning of the paradigm switch. We are already seeing fundamental changes in the way we think about security. As cloud usage evolves, there will inevitably be more changes.
New learnings in the past year
Above was my unedited post from last year. After reading it myself, I have some additional thoughts/comments as well as relevant data I’ve learned since:
Using SaaS is the first step of a company’s journey from on-prem into cloud infrastructure. It allows a company to see what the cloud is like without committing to moving any infrastructure.
SaaS security/management is a big concern. As a result, it exposes how identity and data management works in the cloud. It’s very different! A company essentially loses control over the data in a SaaS application, making tasks like access control and data loss protection more difficult.
Identity is more important than ever. Organizations want to eliminate VPN for accessing SaaS and cloud infrastructure because it doesn’t make a ton of sense. Why VPN to something outside of your corporate network? It’s additional overhead.
Developer love is important. It doesn’t mean you need a bottoms up motion, but DevOps’s approval is important for security organizations as they try to manage risk and problems pre-deployment. Just look at the recent acquisitions like Bridgecrew and Auth0.
Cloud maturity will unravel new problems. As organizations use the cloud more, they will discover new issues. The question is what they will be. Cloud security posture management (CSPM) and cloud workload protection platform (CWPP) have become mature categories. New categories like cloud identity and entitlements management (CIEM) are coming out. But what is next?
As always, happy to chat more about this! Just send me an email.
TWEET OF THE WEEK
And you know why I feel like I’m always confused!
