Cloud and cybersecurity disaster stories are commonplace in the industry and among the journalists who cover it. While they may have the whiff of tabloid which makes them irresistible to the media – look who’s been caught with their pants down now – the problem is that they keep happening.
Take Marriott International as a recent example. The company reported a major data breach on March 31, which according to reports leaked the information of more than five million guests worldwide. Or Capital One in July, where an insider snaffled data from Amazon Web Services (AWS) buckets in what was described as a ‘firewall misconfiguration.’
As cloud workloads become more complex – with employing multiple cloud vendors moving from a nice-to-have to a strategic advantage – companies are finding that increasingly, the concept of shared responsibility is one where vendor and customer are seeing their hands slip away from each other’s embrace. The cloud governance space, from monitoring to cloud access security brokers (CASB), are therefore a vital middleman in this process.
Music streaming behemoth Spotify is a well known Google Cloud customer. The company has been working with Google since 2016, and in its IPO filing two years later it was disclosed that Spotify was paying more than £300 million over three years for its transformation.
With that sort of investment, it makes sense to pay more to keep the lights on. DivvyCloud, an Arlington, VA-headquartered cloud security provider, helps Spotify, among other big customers, maintain its systems across multiple needs and geographies, with different cloud environments and application workloads. Jeremy Snyder (left), VP business/corporate development and international strategy, explains the continued importance of companies like DivvyCloud in this space.
“There is still a skills gap as more and more organisations, and more and more people, transition from traditional IT to cloud environments and wrap their heads around the differences and the nuance around that,” Snyder tells CloudTech. “You look at most customers who are using data centres or colocation environments – they have a whole process where any change to a firewall rule might take two weeks to implement. You look at a cloud environment and you might find 100 people who can change that in 30 seconds.”
According to Flexera’s 2019 State of the Cloud survey, 84% of enterprises polled had a multi-cloud strategy in place – for important production workloads as well as sensitive data. “I would say that while the cloud providers are certainly improving the security tools that they’re offering to customers, the big trend we’re seeing in the market is the rise of multi-cloud,” says Snyder.
“So there is a need for a tool that is multi-cloud which brings all of the different environments into a single pane of glass and then apply security standards uniformly across the clouds.”
DivvyCloud aims to protect against four cloud security issues; misconfigurations, policy violations, threats, and wider identity and access management (IAM). Not surprisingly, misconfigs tops the list. Open S3 buckets affect anyone, whether you’re Facebook or Tesla, and Snyder notes the vast majority of these snafus are down to human error.
This brings up a wider point related to the ongoing Covid-19 pandemic. With many companies incorporating total remote working – DivvyCloud being one of them – could this mean more errors with employees left, literally, to their own devices?
Snyder notes bill shock could be one of the first symptoms. “In the current situation, you’ve got a lot of people needing to get things done, so the default behaviour is to give people access to go and do whatever they need to do,” he says. “What we see happening is that people are really good at creating stuff, but they’re not good at cleaning up after themselves.” In this instance, automation is the key, which can then be applied towards governance to help organisations clear up unused or underutilised resources.
Generally speaking, right now Snyder says many bad actors are increasing their probing; testing against customers’ cloud perimeters, or against some of their cloud assets, to see where their configuration is weak and assets are exposed. DivvyCloud is working in the crisis to make its software available to any customer who needs to run an assessment of their cloud environment, to the extent of deploying the software free of charge for 30 days, as well as documenting common issues raised.
On the basis that prevention is better than cure, however, Snyder notes a three-point plan for companies worried about their cloud security. First of all, do a quick inventory. Second, take an industry best practice – Snyder name checks the CIS Benchmarks – and scan it against your own environment. Finally, if there are any issues, look at what the data or workload is, prioritise it, and then work through those issues as a result.
“Paramount to all of this is understand what you have,” Snyder adds. “If you don’t have visibility on all of the workloads and all of the assets that your organisation is responsible for, you won’t even know – you can’t know – whether you’re going to stay secure or not. Start with visibility and then check your security posture.”
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.