{"id":109696,"date":"2020-04-24T06:00:23","date_gmt":"2020-04-24T13:00:23","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=109696"},"modified":"2020-04-27T09:39:16","modified_gmt":"2020-04-27T16:39:16","slug":"cloud-3-myths-about-security-in-the-cloud","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/04\/cloud-3-myths-about-security-in-the-cloud\/","title":{"rendered":"3 Myths About Security in the Cloud"},"content":{"rendered":"
\u201cWe must not be hampered by yesterday\u2019s myths in concentrating on today\u2019s needs.\u201d\u00a0<\/span><\/h6>\n
\u2013 Harold S. Ganeen, former president of ITT, U.S. business leader and IT pioneer\u00a0<\/span><\/h6>\n

 <\/p>\n

In every field and in every age, there are myths that develop over time. Some are instructive while others are destructive. There are many myths about security in the cloud. I cannot think of one more pervasive than \u201cpublic cloud is more secure than an on-premises data center.\u201d I should know because for the longest time I believed this myself.\u00a0<\/span><\/p>\n

But after working with hundreds of businesses around the world and laboring with the <\/span>Unit 42 cloud threat research team<\/span><\/a> to analyze petabytes of data, I now know it\u2019s simply not true. Let\u2019s dive in together and discover a better path forward.<\/span><\/p>\n

 <\/p>\n

Myth #1: The public cloud is more secure than an on-premises data center.<\/b><\/h2>\n

This is one that has been proclaimed by the cloud service providers (CSPs) for well over a decade. When organizations are surveyed, typically one of the top fears around security has to do with the cloud. So it plays well to sell the notion that the cloud is more secure than on-prem, where most compute exists today. But let\u2019s be clear, CSPs have a largely stellar track record when it comes to securing their portion of the shared responsibility model. Instances like what is cited <\/span>in this recent \u201cForbes\u201d article<\/span><\/a> are few and far between. This is the security <\/span>of the cloud<\/span><\/i> versus what customers are responsible for <\/span>in the cloud<\/span><\/i>.<\/span><\/p>\n

I distinctly remember once in a previous role our CSO asking me, \u201cDo you really think the cloud is more secure than our data centers?\u201d To which I confidently responded, \u201cAbsolutely!\u201d In retrospect, I was dead wrong. <\/span>Because although the public cloud <\/b>has the potential<\/i><\/b> to be more secure than a traditional datacenter, <\/b>most organizations <\/i><\/b>do not have these environments configured that way<\/i><\/b><\/a>.<\/b>\u00a0<\/span><\/p>\n

In the <\/span>2019 Unit 42 Cloud Threat Report<\/span><\/a>, Unit 42 researchers found that 65% of all cloud security incidents were the result of customer misconfigurations. Again, the cloud providers have done a good job at providing <\/span>secure services<\/span><\/i> (APIs, etc.) to cloud consumers. But they have room for improvement when it comes to offering integrated, comprehensive, platform-level controls back to cloud consumers.\u00a0<\/span><\/p>\n

In terms of the <\/span>shared responsibility model<\/span><\/a>, many organizations conceptually understand that they have security work to do in the cloud. However, they often fail to put the necessary processes and controls in place to make it happen consistently. Could there be an underlying psychological basis in this myth, or is it something else?<\/span><\/p>\n

 <\/p>\n

Myth #2: DevSecOps is just about adding \u201csecurity\u201d or \u201cscanning\u201d to DevOps.<\/b><\/h2>\n

I\u2019ve included this one here because, from my experience, DevSecOps is synonymous with public cloud. Yes, it can include on-premises as well. However, we see this only in some of the most advanced environments that run API-driven workloads in highly customized private clouds (think entire data centers, which were purpose-built around specific workloads such as gaming).\u00a0<\/span><\/p>\n

\"This<\/span><\/div>
Insecure Terraform template: SSH service on port 22 exposed to the entire internet.<\/figcaption><\/figure>\n

DevSecOps is way more than simply running security scanners. <\/span>DevSecOps<\/span><\/a> is about completely changing how security, as a function, is planned and executed. In most organizations today, security is a distinct, isolated function. There is not much interaction happening between developers and security \u2013 except for when a new app is scanned a few days before a production launch and a slew of critical vulnerabilities are found.\u00a0<\/span><\/p>\n

The wheels begin to move toward DevSecOps <\/b>when security teams, developers and IT teams alike advocate and deliver infrastructure and security as code<\/b><\/a>.<\/b> This is primarily done through immutable infrastructure such as Infrastructure as Code (Iac) templates such as AWS CloudFormation, HashiCorp Terraform and Azure Resource Manager (ARM).\u00a0<\/span><\/p>\n

Historically speaking, security teams and code did not go together. But in the <\/b>cloud native age<\/b><\/a>, it is imperative.<\/b> And organizations are certainly moving in this direction. In the <\/span>Unit 42 Cloud Threat Report: Spring 2020<\/span><\/a>, researchers identified more than 199,000 vulnerabilities in IaC templates. CloudFormation templates were found to be the most vulnerable, with 42% registering at least one or more high- or medium-severity vulnerabilities. Certainly, IaC templates are a key component of a DevSecOps program. However, if a template itself is configured incorrectly, this then means the issue, unfortunately, will be replicated at scale.<\/span>
\n<\/span><\/p>\n

Organizations looking to transform from DevOps to DevSecOps should <\/span>concentrate first on people and process<\/span><\/a>. In a recent webinar, I recommended <\/span>five strategic steps<\/span><\/a> organizations could take when making this move.\u00a0<\/span><\/p>\n

 <\/p>\n

Myth #3: CSPs natively deliver all the security controls a company needs.<\/b><\/h2>\n

This myth is closely related to No. 1 but has a different rub. While the first is split with varying degrees down the shared responsibility model, this one hits squarely on what\u2019s in the scope of the customer\u2019s control (and concern).\u00a0<\/span><\/p>\n

When any service is provided to a customer, the business providing it has a duty to ensure adequate protections are in place from day one <\/span>by default<\/span><\/i>. Although cloud consumers have largely shirked their accountability in the shared responsibility model, CSPs could do more while still aggressively pumping out new features.\u00a0<\/span><\/p>\n

New functionality is the lifeblood of any platform, and businesses have come to depend on the innovation CSPs provide. However, if there aren\u2019t equally useful and embedded security features <\/span>with secure defaults<\/span><\/a> as part of new functionality, something is amiss. Yes, CSPs have some basic security controls on their platforms, and they continue to enhance them over time. However, organizations need more than CSPs can deliver natively. In a recent <\/span>Gartner survey<\/span><\/a> of public cloud users, 81% of respondents said they are working with two or more CSPs. Enterprise-grade security requires visibility and controls that span multiple cloud providers as well as hybrid clouds. This is why an entire industry sprang up around Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) security as early as 2013, with startups such as Evident.io, RedLock and Twistlock having led the pack.<\/span><\/p>\n

 <\/p>\n

Defeat the Myths About Security in the Cloud: Never Trust, Always Verify<\/b><\/h4>\n

As Ganeen said: \u201cWe must not be hampered by yesterday\u2019s myths in concentrating on today\u2019s needs.\u201d<\/span><\/p>\n

This certainly holds true for the cloud. <\/span>As security professionals, it is our duty to move our organizations forward into the cloud native world<\/b>. This means we must do three things: <\/span>
\n<\/span><\/p>\n

    \n
  1. Advocate for <\/span>Zero Trust security models<\/span><\/a>, which follow the mantra \u201cNever trust, always verify.\u201d<\/span><\/li>\n
  2. Promote and encourage automated and scalable security through IaC templates.\u00a0<\/span><\/li>\n
  3. Adopt <\/span>cloud native security platforms<\/span><\/a> that work cohesively with multiple cloud service provider APIs, as well as integrate organically into development pipelines no matter where the pipeline lives. <\/span>
    \n<\/span><\/li>\n<\/ol>\n

    In order to reap all the business benefits cloud has to offer, we must ensure that myths are dispelled with both facts and action.<\/span><\/p>\n

    There are countless other myths about security in the cloud. Which ones did I miss? Connect with me on <\/span><\/i>LinkedIn<\/span><\/i><\/a> and let me know.<\/span><\/i><\/p>\n

    For more insights from cloud security thought leaders, view sessions from the <\/span><\/i>Cloud Native Security 2020 Virtual Summit<\/span><\/i><\/a> for free and on-demand.\u00a0<\/span><\/i><\/p>\n

    This post originally appeared on <\/span>The New Stack<\/span><\/a>.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

    There are many myths about security in the cloud. Our CSO for public cloud breaks down a few big ones and offers some truths.<\/p>\n","protected":false},"author":623,"featured_media":109520,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768],"tags":[7009,6901,6890],"coauthors":[6679],"class_list":["post-109696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","tag-30-days-of-cloud","tag-cloud-native-security-platform","tag-prisma-cloud"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/pan_generic-gtm-social_prisma-blog-350x300-1.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/109696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/623"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=109696"}],"version-history":[{"count":5,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/109696\/revisions"}],"predecessor-version":[{"id":109714,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/109696\/revisions\/109714"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/109520"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=109696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=109696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=109696"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=109696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}