cyBARR Chats Episode 9: The State of Cloud Security

In this episode of cyBARR Chats, we’re joined by Brad Thies, founder and president of BARR Advisory, to discuss the state of cloud security today, the tools and practices businesses should implement to improve their security posture, and the future of cloud security.


[00:00:00] Claire McKenna: Hello everyone. And welcome to today’s episode of cyBARR Chats. My name is Claire McKenna, and today we’re joined by Brad Thies president and founder of BARR Advisory to discuss the state of cloud security with 99% of organizations using at least one cloud. The cloud is ubiquitous in nearly every industry, which means security is paramount with that in mind, Brad, let’s dive into our first question.

What are the major challenges to cloud security today?.

[00:00:31] Brad Thies: Well, just, as you mentioned, it’s ubiquitous and  it’s tough to really differentiate here’s what are could you practice for, for cloud security? Um, without really bringing forward some of the best security practices, even pre cloud, and it starts with ownership.

And so you’ve got to have good ownership and clear ownership of who. Who’s establishing your cybersecurity programs, um, ownership doesn’t stop at the, at the person who’s, who’s taken ownership of the program. But that’s first and foremost, and that’s, doesn’t really change regardless if you’re in a cloud environment or not.

If you go specific into some very common security practices. You look at a lot of the data, you know, the Verizon data breach report. A lot of these best practices are very simple things when it comes to preventing some of these attacks such as, okay, credential theft is very common. Um, that is one of the leading indicators of, uh, for issues when it comes to hacking.

And, um, and those are very simple suffixes that. Seems simple, but they’re there, they can be difficult, but it’s just things as simple as NFA having password managers. And then the other aspect of, for folks that are developing software, having a very robust, secure development process and program that, um, is, is, has the tooling, um, there to actually deploy secure code.

[00:01:51] Claire McKenna: Got it. So you mentioned MFA and password managers. Are there any other important cloud security practices that businesses need to implement?

[00:02:02] Brad Thies: I mean, those are, those are the priorities. I would say, you know, we’re a few, if you start to get into more deeper into your, your best, your, your cloud security practices, one of the biggest challenges is visibility.

And so thinks thinking about, okay, Know, I know I need to do MFA or  I know I need to do a password manager. I know I need to do things like secure development. What does that really mean? How am I doing various static code analysis, dynamic code analysis. How am I making sure folks that are deploying code is secure.

It comes back to, I know what I need to do, but how do I get that visibility? And so now. Uh, you know, good practices starting to really layer on some of the tooling to help give you that visibility, where you’re not dependent upon a lot of them, you know, the manual exercises of, of, you know, the whole trust, but verify,  if you have some of these automated tool tool sets to benchmark yourself against some of these best practices that helps whoever’s owning, that security program, understand how to react as the threat model evolves.

[00:03:08] Claire McKenna: Got it. So you mentioned some of those tools, but what tools would you recommend to an organization to improve the posture of their cloud security?

[00:03:18] Brad Thies: There’s so many tools out there and, and that’s, that’s the challenge with cybersecurity industry today is that you can buy a lot of lemons. And I think it’s important to educate yourself first.

It’s not just the tool. No tool is going to be your silver bullet and, um, it’s, it’s. The issue isn’t what tool to buy it’s how do you educate yourself to make sure you’re purchasing the right tool? Because you can go in and say, well, I need a compliance automation, software tool, and there’s plenty of tools out there, but a lot of them, um, out there are, are really focused on smaller organizations that have very specific integrations.

So you want to check first, are you well integrated with that tool? You know, if it integrates with AWS, Azure and GCP, but you have a lot of, um, environments off of those cloud environments, that tool might not be well good for you. So it’s tough for me to really say here’s the tool you need specifically because it’s going to be different for everybody.

And the important thing is. EDU, how do you, how do you educate yourself in a way so that you understand you’re buying the right tool? And, you know, I think of the tooling as different buckets, the visibility piece first, um, as well as then the actual tools that you give, if you’re in a software development that you give to your, your developers to, um, ship out security, Um, but then for the folks that are not in software development, they’re looking to really just understand visibility within their cloud environment.

There’s a plethora of tools out there that, um, just determine how well you’re using those, those, those applications. So if you’re not using them, uh, then it gives you indicators that you can probably shut them down so that you can reduce your attack surface. Got it.

[00:05:00] Claire McKenna: Switching gears a little bit.

What does the shared responsibility model and why is it so important for cloud security?

[00:05:08] Brad Thies: The shared responsibility model is important because you have to know who’s responsible for what who’s on first, if you will. And so, um, you know, AWS has a good shared responsibility model. Really all the cloud service providers have good shared responsibility models.

And that’s part of educating yourself that I mentioned earlier. If you go to. a company’s website and you don’t see some aspect of that shared responsibility for, Hey, here’s what we’re responsible for. We’re responsible for the security of the cloud, but if you’re responsible for security in the cloud, as they say.

Let’s use that MFA as an example, they should have information on how to set that up. That goes back to education. And, and so those, those very public things should be public. And so as you’re purchasing these, these, uh, tool sets, whether it’s from the big three and Azure GCP or AWS to just some other SAS tools that they should have those things out there so that you can educate yourself on.

How to lock those things down. An example is MFA is a big one. And if you didn’t know that you had to do it or how to do it, or the risk associated with it, um, you know, that, you know, the Workday breach from a few years ago, that was something that, you know, there wasn’t really technically their responsibility for all of these, uh, Workday accounts to get hacked.

But most of them were because of an issue with MFA and most of their customers weren’t sending up to, to the extent. A lot of companies got their whole payroll cycles stolen, um, for, um, for multiple payroll cycles at a time, just because some administrator had a compromised MFA. So that’s the, that’s what I mean, that’s, what’s really con um, means by the shared responsibility model, just knowing who’s responsible for what, and then they actually take that in and, and consume it within your organization to distribute that ownership from making sure you’re, you’re checking those boxes for the, for those configuration elements.

[00:07:01] Claire McKenna: Got it. And looking ahead, finally, how do you see the state of cloud security shifting over the next five years?

[00:07:11] Brad Thies:  I think old evolutions are the same problems today. There was a great book by Gary McGraw published 15 years ago. And this was when software was just exploding significantly.

And, you know, he had the three problems back then, which I think  ring true today and it starts number of problem. Number one is connectivity. Yeah, there’s just a bunch of applications now are connected to each other and talking to each other and also bringing in some of these legacy systems and networks more connected.

So that brings different risks. The second one you had was extensibility, um, you know, think of this as really just all the different API APIs that, that, we need as a, as consumers to really make sure that. Yeah, systems are talking to each other. You talk about the health, health system network.

There’s so many systems that really make that, that, um, that ecosystem work and, and it takes these different connectors to make that happen. And the last thing was complexity. Things are only going to get more complex. The more code you write. You ship out, the more vulnerabilities you have, the more bugs you have, the more vulnerabilities you add having that thing that just goes exponential.

Um, but those are the three problems. Um, but I think it gets back to how do we understand that visit? How do we get that visibility, into this ecosystem of cloud service providers? And that’s, I think the three things that we really want to focus on to address that is first the human element, which I’ll get to in a minute.

Second is the tooling that we talked about. So you can get that visibility into those different challenges in the ecosystem. And then lastly, I think there’s going to be more of a shift and less dependencies on one particular cloud or one particular type of server architecture, so that you can have a very easy way to transfer data across cloud environments.

So that your setup is completely immutable, um, so that you can. Yeah, essentially destroy your entire environment, rebuild it within a matter of minutes. And some of that stuff is happening today, but I think in the next five years, it’s going to continue to speed up. Um, but the first thing is that the human element and that’s a mind shift in security and cybersecurity at its core is about.

Humans feeling safe and protected. Um, you know, that could be called dev ops to DevSecOps or using security as a differentiator. But, I think it’s, it’s about how do we make sure that it’s not, uh, especially when you’re getting into those information security questionnaires between companies, there’s a litany of questions.

But if we really think about it, less about the us versus them mentality of, Hey, I’m trying to do business with you. I’m just going to answer these questionnaires as quickly. And, and just to get that deal across the finish line, if we can shift our mindset and think about we’re really just two companies trying to solve the same problem when it comes to cybersecurity.

Um, that’s my optimistic view in the next five years. And I think that’s happening, especially based on the. Breaches that have happened. And the various mandates that are coming down about sharing information and the more we can normalize sharing information, um, both internally and externally, um, the better we’re all going to be when it comes to information security.

So that’s my optimistic thinking. In terms of other trends, it gets back to the tool and continue to proliferate the things like cloud access, security brokers, and Caz bees moving security and compliant, moving to, I should say, uh, security and compliance automation, tooling, um, or no longer are the days where you can just send a bunch of auditors out and spending a ton of time.

Testing things when the value really a lot of that stuff can be standardized and can be audited. Um, and then I had already talked about the shifting less, less dependencies on the underlying cloud and OSR architecture. Um, all that’s to say. There are great tools out there today. Um, there’s no one best framework, but if you’re looking to just get started and say, Hey, I have this new technology go out to CIS top 20, um, go out to CIS benchmarks.

You can go to their website and they have every. Pragmatic way per very, very prescriptive way to how to secure and harden your specific, um, applications, whether it’s a zoom application to an, a boon to server, um, in a, in a, in an AWS environment. And, and those are the types of things that I don’t think, you know, people are realizing there’s such great tools out there today.

Don’t get bogged down in so many different compliance frameworks out there. Just go out there and pick up. And benchmark yourself against that. And then now you can start to speak the language, getting back to that human element, um, both internally and externally. And that’s your gateway in my opinion, to real security, because security compliance doesn’t always equal security, but the security aspect can equal compliance.

Compliance is really that gateway into, um, the F the freedom to get into that real security practices. And it starts with just knowing what those benchmarks are that are already in.

[00:12:25] Claire McKenna: Right. Well, it looks like an exciting future ahead for cloud security, Brad, thank you for all of your insightful comments.

And we look forward to seeing everyone next time on cyBARR Chats.