How to Secure Your Cloud Environment for What’s Next

In Part 1 of this two-part series, we put a magnifying glass on some of the top cloud security trends and lessons learned in 2016. In Part 2, we’re going to look at where we believe cloud security is headed over the next year.

This two-part series is adapted from a recent webinar we hosted with Threat Stack’s Director of Products, Vikram Varakantam, and OneLogin’s CISO, Alvaro Hoyos. In it, we discussed  Gartner’s 2017 cloud security report and shared our own perspective on where the market is heading.

(Note: GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.)

You can listen to the full webinar recording above. Below, read what Vikram and Alvaro have to say about the future of cloud security in 2017, based on Gartner’s latest report.

Prediction 1: Balancing the Shared Responsibility Model

Attacks against cloud deployments succeed because customers, not providers, fail to fully address their portions of the shared responsibility model – Gartner Predicts 2017: Cloud Security Report

You may be familiar with the cloud shared responsibility model. Amazon does a great job of

explaining it, and we have written about it numerous times. Infrastructure as a service (IaaS) providers like AWS, Google Cloud Platform, and Microsoft Azure are continually investing in security to deliver the most secure infrastructure for companies to build their businesses on. But this doesn’t mean that companies can skip out on their role in security. In fact, security breaches are almost always due — not to a cloud provider’s lack of security — but to organizations failing to secure their data and applications within public cloud infrastructure.

In 2017, we predict that companies will become smarter about security by taking the time to understand what they’re ultimately responsible for and implementing the necessary controls, tools, and processes. For tips on where to start, check out these posts.

Prediction 2: Retooling and Paradigm Shifts

Treat the cloud as an opportunity to apply fresh thinking and to adopt new methods for defending information from attack. – Gartner Predicts 2017: Cloud Security Report

In 2017, we predict that many companies will experience a major paradigm shift. Moving to the cloud offers an opportunity for a fresh approach to security. We encourage companies to consider their risk profiles, understand what their key goals and objectives are, and begin applying new thinking to better address security in the cloud this year. Consider it an opportunity to hit the “reset” button.

The areas where we recommend that companies retool their approach include:

  • Tighter feedback loops (via workflows and automation)
  • Centralized access (via API-enabled solutions, automation, and orchestration)
  • Compliance adherence (via better tooling and reporting)
  • Cloud governance (via better oversight for tools, users, and infrastructure)

Note: We cover each of these areas in depth in the webinar recording.

The beauty of the cloud is that you have plenty of options for building the right cloud security posture for your organization. Our Cloud Security Playbook is a great place to learn more about the options that are available to you.

Prediction 3: Favoring Out-of-the-Box Security Tools

The best security solutions will be those that integrate natively into the IaaS environment. – Gartner Predicts 2017: Cloud Security Report

Moving to the cloud is in itself a significant undertaking, so layering on security shouldn’t add extra work. The best security tools can integrate natively into the cloud infrastructure you’re already using, whether it be AWS, Google Cloud Platform, Azure, or even a hybrid mix of public cloud and on-premise infrastructure.

Case in point: Alvaros chose to use Threat Stack for OneLogin, because Threat Stack could immediately deploy across their entire AWS infrastructure without any extra customization required on his end. Not only that, but Threat Stack also works effectively with workflow apps including Puppet and Chef, communication channels such as Slack, and alerting tools such as PagerDuty. Out-of-the-box solutions like this make the process of integrating security as easy as possible.

Since speed and efficiency are the name of the game in 2017, we predict that companies will start looking for vendors who can fit neatly into their existing cloud environments.

Prediction 4: Governance in the Cloud

Develop a plan for the effective utilization and governance of SaaS.  – Gartner Predicts 2017: Cloud Security Report

Alvaros and Vikram unanimously agreed that governance will be the big buzzword of RSA 2017 this year. That’s because, in the cloud, just about anyone can sign up for a new SaaS tool or spin up a new server, but where does oversight come in, if at all?

Governance in the cloud sets standards for how to use cloud services. It enables the development of policies on, for example, how to integrate new services or spin up new servers to ensure that they’re set up securely and that they have the right level of monitoring and user access controls going forward.

We believe that, in 2017, more and more companies will begin implementing controls and processes to ensure cloud governance. The key, however, will be to do so in a way that doesn’t hinder progress and innovation — and that can be done through automation.

Prediction 5: Bringing Ops and Security Closer Together

Utilize the cloud IaaS provider’s native security capabilities in conjunction with secure DevOps practices and tools, to automate security controls throughout the application life cycle. – Gartner Predicts 2017: Cloud Security Report

Just as we predict that governance will play a stronger role in the operations of many companies, we believe that the integration of security into DevOps practices will continue as a strong trend in 2017.

Many cloud processes, such as the managing of security groups, lend themselves to an automation model whereby they can be integrated into the greater DevOps pipeline. This is great for security. Companies will always face constraints around security, so bringing it into DevOps helps to make it a team-wide effort and not a separate (often forgotten) discipline.

Companies can begin bringing security into DevOps by developing processes that outline how to handle security-related tasks like:

  • How to provision a new server or user
  • What to do when a vulnerability is detected at 2 a.m.
  • How to approach a new exposure on Linux when it arises

Encoding these processes can help ensure that security is carried out uniformly so it can scale as a company grows and become embedded in the company culture.

Taking on Cloud Security in 2017

Security has come a long way in just the past few years. While there is still much more to be done, we’re at an inflection point where companies are asking “how should we do it” instead of “why should we do it”, and they’re looking for best practices like the ones outlined above to secure the cloud.

We encourage all companies to consider each of  the five areas covered in this post as well as the best practices laid out in Part 1 of this series.

For more cloud security tips, be sure to subscribe to our blog, and for guidance on how to develop your cloud security strategy in 2017, download a free copy of our Cloud Security Playbook.