23 Beliefs About Cloud Security That Are Just Not True (Anymore)

23 Beliefs About Cloud Security That Are Just Not True (Anymore)

The cloud has become a ubiquitous and essential part of our world, but just like every relationship in our lives, things change and inevitably become more complicated. What once was a truth or a great promise will eventually change. When our understanding of the cloud doesn’t change with it, we can run into problems.

Take for example, the historically stringent views around cloud maintenance, responsibility, and sovereignty:

The notion that “I can’t use the cloud because my data needs to be isolated from other companies and the cloud doesn’t allow proper isolation,” is simply not true, said Paul Truitt (@MazarsInUS), CISO, Mazars. “This can easily be addressed with proper design and configuration.” There is more to cloud than just “storing your data on someone else’s computer” (an often-repeated trope). After all these years, there are cloud security beliefs that are just not true or are not true anymore. Here are 23 of our favorite beliefs, with comments from 28 industry experts:

Got feedback? Join the discussion on LinkedIn.

Thanks to our sponsor, Orca Security

Orca Security is the pioneer of agentless cloud security that is trusted by hundreds of enterprises globally. With continuous first-to-market innovations and expertise, the Orca Platform ensures security teams quickly identify and remediate risks to keep their businesses secure. Connect your first account in minutes by visiting www.orca.security.

1. You can just set it and forget it

“The common misconception when you go full cloud or via some service is that security belongs to the cloud provider, and you don’t have too much to do anymore,” said Gary Hayslip, (@ghayslip), CISO, Softbank Investment Advisers. “Cyber is cyber, and many of the basic hygiene principles still apply.”

Mazars’ Truitt concurs. To say, “I moved my stuff to the cloud, so I no longer need to worry about patching, firewalls, or any other administration of my systems, is very not true unless by cloud you mean SaaS service.” “Companies must own their security including continuous assessment of protection of critical systems and data,” added Renee Guttmann, former CISO, Coca Cola, Time Warner, Campbell Soup Company and founder, CisoHive.

2. Shared responsibility is a term that means the “cloud people” will take care of it

The reason why belief no. 1 (set it and forget it) is so strong is because the shared responsibility model makes it easy to believe that “cloud people” will look after everything.

This is something “I run into in almost every cloud discussion I have – the misunderstanding of the shared responsibility model,” said Brett Conlon, CISO, American Century Investments.

“You cannot outsource your responsibility for data protection and the impact of any data breach,” said cybersecurity writer Anastasios Arampatzis (@TassosAramp) of Bora, “Businesses are responsible for protecting all the data they store in the cloud.”

“An inherent opaqueness to service providers’ ’digital moat‘-mentality has impeded the kind of openness possible with more distributed (less centralized) compute models,” said Davi Ottenheimer, vp, digital trust and ethics, Inrupt.

Kathleen Mullin, former CISO, Cancer Treatment Centers of America, agreed. Cloud users need to understand what the cloud providers are responsible for, what they might be willing to take additional responsibility for (for a fee). And what the customer needs to manage.”

3. SaaS and cloud are the same

For many organizations, a single cloud strategy is not always enough. When you have figured out how to secure AWS, for example, there may be other cloud SaaS providers to consider as well. Cloud and SaaS are two different animals.

“There’s a constant confusion between SaaS and public cloud virtualization,” said Truitt of Mazars,
“They are very different and require different configurations, designs, and responsibilities between the vendor and the data/system owner.”

“Many, if not most, vulnerabilities happen at higher layers than infrastructure,” Johna Till Johnson, CEO, Nemertes offered. “If you’re using infrastructure as a service or platform as a service (IaaS or PaaS), the onus is on you, not the cloud provider, to protect your applications.”

4. Cloud is cheaper

The idea that “cloud is cheaper than on-premise has never been true,” said Patrick Benoit (@patrickbenoit), global CISO, Brinks.

 “Moving to the cloud can cost you dearly,” said Patti Titus (@RUSecur), chief privacy and information security officer, Markel, “Not just the amount of money you’ll spend while you manage two, sometimes three different environments, but what you’ll pay if you have poor governance for your cloud instance.”

“Going to the cloud is about being agile; able to adapt more quickly to business needs. If you’re doing cloud then expect costs to go up and security costs to go up as well as the need to retool to meet those agile needs,” said Benjamin Sapiro, Security Executive.

“Scaling data storage and computing capabilities is now easier than ever in the cloud, which can be quite tempting for security teams, who often want to receive all the logs from all systems and keep logs forever, continuously growing storage and computing costs at an alarming and unsustainable rate,” said Jesse Whaley (@jbit4n6), CISO, Amtrak. “Organizations need a strategy around how they will use cloud environments to include controls around who can make changes and set limits to prevent cost overrun.”

5. There’s just one cloud to rule them all

The idea of moving to a single cloud was a good one, in theory. But then different groups within an organization start asking for different clouds that serve different purposes. This leads the need for a multicloud approach which in turn makes it impossible to use any cloud vendors’ native security tools.

“Multicloud does not mean being cloud-agnostic,” said Andy Ellis (@csoandy) advisory CISO, Orca Security, “What is true is that multicloud means ‘using different clouds for different apps, and you have to deal with configuring cross-cloud permissions when neither cloud really wants you to ever use another cloud.'”

“When people think cloud, they often think that workloads are isolated from the control plane (the part of the cloud infrastructure that manages all of your workloads, which includes not only things like hypervisors, but also the access rights between parts of your cloud infrastructure). Not only are there occasional vulnerabilities where workloads can do unpleasant things, workloads are often given permissions to directly interact with the control plane (although hopefully only your control plane, and not everyone’s),” said Yoav Alon (@yoavalon), CTO, Orca Security.

6. Your data is being managed by the big clouds

“It’s no longer safe to assume your customer data is only being processed in your production environment and Google Workspace/Microsoft 365,” said Bryan Zimmer, head of security, Gretel.ai. “You need to track it across other platforms like Jira, Slack, Sendgrid, and so on. Not only is it a good idea to know where all your customer data is in these platforms, it’s also the law under GDPR since they’re considered sub-processors.” Nemertes’ Till Johnson drove home the point: “CISOs beware! You can outsource your workloads to cloud, but you can’t outsource your responsibility for securing them!”

7. The cloud is more secure than on prem

“This was never true,” said Matt Chiodi (@mattchiodi), chief trust officer, Cerby. “If you haven’t adopted a model like the NIST CSF, you will get bitten in the cloud and on-premise. It’s all about the model you use and how you continually monitor your model’s performance over time.”

The issue is one of scale and breadth, suggested Shawn Bowen (@smbowen), CISO, World Fuel Services, “Yes, the cloud service providers make the cloud a much more secure option. But because a developer/engineer makes a mistake such as misconfiguration, poor cyber hygiene has a much quicker and larger impact, that means the teams need to be even better at integrating good security practices earlier in their processes.”

Although it’s often said that cloud providers have more security resources than you, that won’t help with your specific problems.

”Security is a result of process more than technology. Cloud providers generally have decent processes, but no more than that. Operating at scale means having a mass of complex processes,” said Nemertes’ Till Johnson.

8. On prem is more secure than being in the cloud

Ironically, both arguments about which one is more secure (cloud or on-prem) are often made as blanket statements.

“To say that the cloud is riskier than your own physical data centers or that the cloud is harder to secure than your own physical data centers are solidly not true anymore if you know how to operate in CSPs and have the right tooling and people, “ said Quincy Castro, CISO, Redis.

“Bad actors can infiltrate anything they want whether it’s cloud or on premise,” said David Ratner (@davidhratner), CEO, HYAS. “Infrastructure, whether on-premise or in the cloud, is not necessarily secure by default. Organizations have an inherent responsibility to implement, configure, and deploy infrastructure securely,“ said Amtrak’s Whaley. “Additionally, organizations need to monitor and manage the security posture of their infrastructure over time to detect changes that may make their environments less secure.”

9. Lift-and-shift is the best way

“It is no longer only a digital transformation,” said Guttman of CisoHive. “We are now far enough along that companies have no on-premise and have started their business in the cloud. This is called ‘start left’ vs shift left. Marnie Wilking, CISO, Booking.com added, “even if you’ve done a lift-and-shift, I strongly recommend looking at cloud-native and cloud-forward tools.”

10. I have better visibility into my on-premise environment than cloud

“As people have grown through M&A and various changing DevOps teams, often they have more blind spots across their on-premise environments, like forgotten machines, misplaced environments, and legacy environments that were not properly shut down,” said HYAS’ Ratner. “Solutions exist across cloud, multi-cloud, self-hosted and hybrid cloud environments to ensure complete visibility and observability independent of the environment.”

11. Misconfiguration is the problem

Some CISOs may feel that cloud security is no longer easy or cheap, and has become too complex, resulting in breaches happening because of misconfiguration rather than the lack of a specific security product or design failure. But Sandy Dunn (@subzer0girl), CISO, Shadowscape, pointed out how Gartner’s 2021 Hype Cycle for Cloud Security specifically states that “more than 99% of cloud breaches will be traced back to preventable misconfigurations or mistakes by end users.”

But that depends on how well prepared we are for taking responsibility for our presence on the cloud:

“The cloud offers us scale and security, only if we choose to take advantage of it and set it up properly and with purpose,” said Conlon of American Century Investments. “The thought that the cloud does this for you is one of the largest reasons we have so many cloud misconfigurations.”

12. MFA is the solution

“Many organizations believe if they are using MFA, a user cannot be compromised, phished or session hijacked,” said David Cross (@MrDBCross), svp, CISO, Oracle SaaS Cloud. “MFA is an additional condition that reduces risks and increases complexity for attackers to overcome, but it is not foolproof.” This can be seen in the numerous news stories in which people have been phished to give up their second factor, or where threat actors run  business email compromise (BEC) campaigns to bypass MFA.

13. You must change your password regularly, and make it long, and complex

NIST came clean a few years ago and noted you don’t have to change your password. However, everybody (mostly) continues to force passwords with crazy character combos (also not required). The most difficult to change are the auditors and customers who still ask for a frequent password change interval,” said Mark Eggleston (@meggleston), CISO, CSC.

14. Test and staging can run in lite mode

“Here is one I like to keep harping on,” said Oracle SaaS Cloud’s Cross: “’Test and staging systems are not production and do not need the same expensive controls and restrictions that slows down development and DevOps.’ The truth is, these systems, when they have limited controls, are consistently the target for attackers to quickly gain a beachhead and then laterally move into production.”

15. Companies have sufficiently prioritized cloud security

Alberto Silveira (@asilveir81), head of engineering, Lawnstarter, stated that the biggest challenge he has with cloud security is it lacks proper prioritization. This makes it difficult for security departments to be proactive. He compares cloud security to doing the dishes in a restaurant – an important activity but not a direct revenue stream. As such it gets forgotten until a problem becomes too big and expensive.”

16. Cloud security is the security department’s problem, not mine

“Cloud security might have been a ’security‘ problem five years ago, but now it’s a business problem,” said Brian Olearczyk, chief revenue officer, OwnBackup.“ The pendulum has now shifted from innovation at ’all‘ costs to ’secure innovation‘ or ’innovation at lightspeed, securely‘ with the cloud. This shift is forcing the line of business to co-own the cloud security problem.”

17. Cloud security is different from on-prem

“A key thing that just isn’t true is that the cloud is different from the local network,” said Shadowscape’s Dunn. “All of your policy, procedures, and standards should be comprehensive across the organization and should reflect its application in all environments.”

18. You can just “add on” security

“The emergence of Zero Trust and the inclusion of security in conversations about Secure Access Security Edge and Security Service Edge have led to a shift in approach, with security being considered much earlier in the discussion of business solutions,” said Shadowscape’s Dunn. “As a result, new business capabilities are now designed with security as a default feature.”

19. Cloud is simple

“While it’s easy to get started in the cloud, it’s complicated to get right and secure. There are a lot of ways to screw up cloud security,” said Ed Covert (@ebcovert3), head of cyber risk engineering, Bowhead Specialty.

20. Cloud is about storing and processing data

Cloud is also responsible for sharing and transferring your data, which means data in transit. “Scanning all images for vulnerabilities used to be considered a must-do part of vulnerability management, with modern applications having a large number of highly ephemeral container images with a lifespan of minutes not hours,” said Stephen Giguere (@_SteveGiguere_), developer advocate, Bridgecrew. “The real risk is with images in transit through the pipeline that need to be scanned as early as possible to distribute the vulnerability management effort and minimize the more costly runtime effort.”

21. You gotta have the certs to work in the cloud

“The truth is a lot of people can study, take a test, and pass it. Additionally, there are people with learning disabilities that have a tough time with this. Just because someone does or doesn’t have a certification(s) is no reflection of their capability to be in a cybersecurity job,” said Scott McCormick, former CISO, Foursquare. Many cloud companies offer internal free training to build out the skills of their people once they have been hired, or refer their hires to courses offered by Microsoft or Google, showing that demand for cloud security talent remains high.

22. Developers are secondary to the cloud security process

“People love the freedom and flexibility of deploying to the cloud, but with great power comes great responsibility,” said Julie Tsai (@446688), limited partner, Rain Capital Management. “Once you have the power to quickly release new services to the public, you also have the duty of care to ensure they are as secure as they can be. Developers launching apps in the cloud must put on their security and system administrator caps to determine what network traffic can come in and out of the app. What other tenants may be sharing network, data, and filesystem space? What users will be using the app, accessing the API, logging into systems? What passwords and secret credentials are being used and how are they being managed? Have all defaults been changed? How might malicious attackers use packages and data on the systems in unexpected ways? Do you know what data is coming in and out?”

23. Cloud is somebody else’s computer

The most well-worn myth of all is that the cloud is somebody else’s computer. “This is partially true,” said Bora’s Arampatzis, but “the cloud can also be your computer in cases of private cloud deployments.” He added that the bigger problem may be that a lack of understanding of what a cloud is “can mean that people do nothing to educate themselves and their teams on the benefits, risks, and challenges of cloud computing technology.”

Conclusion: Let business decisions, not common tropes, lead your cloud effort

Once people accept industry buzzwords and tropes into common parlance, these tropes tend to lose their edge, and people stop questioning what they mean. Many of these cloud myths still hold true in the minds of people at all levels of an organization because once the edge has gone, a set of established facts or principles tend to settle in for the long term, and critical thinking stops. You have business objectives and the cloud can help you get you there. There are just a lot of decisions to be made to do it quickly with a competitive edge.

“I think the big myth that people get wrong is that ’cloud security is different from traditional information security.’ We continue to see the same types of vulnerabilities and misconfigurations in the cloud that we were all taught when things were only on prem, such as lack of segmentation, shadow IT, publicly facing services that nobody is monitoring or knows about, lack of MFA, and credential reuse,” said Josh Mason (@joshua17sc), cybersecurity consultant, and instructor, Neuvik Solutions. For example, noted Mason, “We just finished an external pentest and cracked the AWS bucket and an on prem SQL database with the same guessed credentials that were similar to breached credentials we found. The account belonged to someone who wasn’t even at the company anymore. Sound familiar? That’s how they got into Colonial Pipeline.”

Got feedback? Do you have other pieces of wisdom about cloud security to add? Join the discussion on LinkedIn.

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.