What are the moves we should be making in the cloud to improve our security? What constitutes a good cloud security posture?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Andy Ellis, operating partner, YL Ventures. We welcome our sponsored guest Yoav Alon, CTO, Orca Security.
Related to this episode, please also check out Steve Prentice’s article, “23 Beliefs About Cloud Security That Are Just Not True (Anymore).”
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Orca Security
[David Spark] What are the moves we should be making in cloud to improve our security? And heck, what constitutes a good cloud security posture?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. Joining me for this episode on Defense in Depth, do not be confused, people, it’s Andy Ellis. He’s the operating partner at YL Ventures. Andy, say hello to our audience.
[Andy Ellis] Hello, David. I’m confused because you’ve got a box on your mic that says CISO Series.
[David Spark] I know. But the CISO Series is the name of the brand although the red logo refers to the podcast.
[Andy Ellis] Podcast.
[David Spark] We have a blue, a sort of a teal color that refers to the whole brand.
[Andy Ellis] Yep.
[David Spark] It’s all very confusing right now.
[Andy Ellis] Very confusing.
[David Spark] But the audience doesn’t see that right now. What they are seeing is probably the road if they’re driving…
[Andy Ellis] Pay attention to that.
[David Spark] …or walking around. Who knows what they’re seeing right now, but they’re not seeing this at this moment. I do want to mention our sponsor for today. That is Orca Security. Quickly discover, identify, and remediate cloud risks to keep your business secure. And what do you know? We’re going to be talking about that on today’s show. So, Andy, let me set this up for you. We’re tackling a very broad subject on our show today, so I asked on LinkedIn, “What is just one successful move you’ve made in your cloud security efforts?” And given this question and the variety of answers, I’m going to subtitle this episode the Whitman’s Sampler of cloud security initiatives.
[Andy Ellis] [Laughter]
[David Spark] Because there is a lot going on here, and I know we’re trying to bite off more we can chew in just one episode, Andy, but from the nearly 100 responses we got on this, what is the overarching theme you saw from the community’s advice?
[Andy Ellis] So, really hard to come down to only one thing, so it’s a three-part answer for me.
[David Spark] Sure.
[Andy Ellis] Which is it’s your basic blocking and tackling. You’ve got to know the basics of what you’re going to do, you’ve got to be able to do that consistently and at scale. So, sort of those three pieces. You have to understand that cloud is this big, massive thing, that it’s a little different from enterprise but it shares a lot in common. And you have to know that you’re being consistent because if you are not consistent, you’re just going to discover lots of problems in lots of places that you weren’t aware of until something bad happened.
[David Spark] That’s a good point. And it’s kind of scary to try to tackle a topic this large in such a short show, but I think what makes this a valuable conversation is it allows you to have that sort of initial conversation about cloud security, and that’s what I’m hoping we’ll be able to achieve out of this. Not answering all your problems but get a sort of wrap your arms around the concept. What do you say, yes?
[Andy Ellis] Right, get the starters for you and similar to – I used blocking and tackling as my example – blocking is complicated, and tackling is complicated, but we use simple words to say, “Hey, get started on these practices.” And I think people will see in the quotes here a lot of folks gave very simple words that are very complex in execution.
[David Spark] Now we have an expert to come on, you’re an expert as well, and I want to disclose to our audience that you do actually do work for Orca Security as well, on top of working at YL Ventures.
[Andy Ellis] Yep. I’m also the advisory CISO there.
[David Spark] Yes. And we have an awesome sponsored guest to join us today. He is the CTO of Orca Security, it is Yoav Alon. Yoav, thank you so much for joining us.
[Yoav Alon] Thank you for letting me join.
How do I start?
[David Spark] Henrik Parkkinen of Onevinn AB said, “Establish security governance. Treat your cloud services according to sound and good security principles. Manage them through their life cycle with the help of your security governance process.” And J. David Christensen, CISO over at PlanSource, said, “Cloud governance helps minimize sprawl that can lead to unknown risks.” These are just good basic advice of what we’re trying to achieve on this episode of what is your plan for cloud. Yes, Andy?
[Andy Ellis] It is but I think what I really like about these is when you have a data center, it’s totally okay if you just walk in and say, “Look, I’m just going to secure one rack at a time,” and eventually you’ll fill up your whole data center. And so you don’t really need to think about how to govern your data center because you can do it incrementally.
[David Spark] Mm-hmm.
[Andy Ellis] Cloud doesn’t have that feature. It can grow faster than you can do the work, and so if you don’t have a governance plan that’s going to get you to the end, you’re probably going to discover that you are digging yourself deeper and deeper into a hole by going too deep in very narrow assets [Phonetic 00:04:49].
[David Spark] That’s a really good point of this is going to grow faster than you expect it. It is not adding a rack.
[Andy Ellis] Yep, yep.
[David Spark] Yoav, what’s your say on governance?
[Yoav Alon] So, I think good governance starts with understanding all your workloads, as Andy said. It’s essentially starting with asset management, getting full visibility and full inventory of your cloud. It’s easier in cloud because cloud provides you the APIs to do that, and from there you can start building governance using policies and other tools.
[David Spark] Is there an aspect of governance that many miss, specifically for cloud? Maybe they were only living in the on-premise world and when they went over to cloud, they missed something big. Joav?
[Yoav Alon] So, cloud allows you to do most of the governance inventory things automatically, you can just get a list of everything right now, which is not something that you could do in seconds in the on-prem world. Moving to cloud enables that.
[David Spark] Andy?
[Andy Ellis] When you move to cloud, you sometimes bring your mindset of enterprise, and so you think about identities as being objects that live on a machine rather than machines themselves sometimes being identities. And in the cloud, workloads have permissions. It took me a long time to sort of wrap my head around that, that I wasn’t necessarily securing the authentication because the authentication is the workload itself. There’s this authorization hook within the cloud that isn’t tied to an authenticator, which for me actually broke my brain for a while, and I’m still wrapping my head around it.
[David Spark] So, break that down for us. The authentication sort of mindset that is in the cloud.
[Andy Ellis] You can give a workload permission to make calls into AWS and it has AWS forms of access that isn’t… There’s an SSH identity or a password that has it, which is how we think about access control in the enterprise world. We separate authentication and authorization. Whereas in the cloud, the workload is the authenticated entity because the cloud knows who it is already.
[David Spark] Joav?
[Yoav Alon] I agree. The authentication part is where workloads have trust models where they can just give, “I’m trusting this workload to do something.” It breaks apart the authentication piece, so you just start with authorization.
How do we handle this?
[David Spark] Jonathan Waldrop of Insight Global said, “Perform periodic access and permission reviews. Account and permission sprawl is a real challenge and presents a huge security risk.” And J. David Christensen, again, of PlanSource said, “Cloud identity and access management, no matter how many security controls you have in place for your cloud environment, improperly defined IAM can be exploited to overcome most if not all of them.” And lastly Tim Maliyil of AlertBoot said, “Make sure our apps and services use access accounts with the least amount of privilege necessary to do the respective job.” So, we hear this authentication of individuals all the time and we hear that permissions get exposed a great deal. And per J. David Christensen’s comment, I mean, if you blow this forget everything else. Yes, Joav?
[Yoav Alon] So, I have to push back a little bit. I agree with the basic premise where a common identity’s a real problem but doing permission reviews does not scale to cloud. I believe that throwing around spreadsheets with permissions on them and trying to get someone to say if it’s okay or not is not the way to do it in the space where it’s mostly dynamic, and machines also have identities, not just users.
[David Spark] Right. Oh, yeah.
[Yoav Alon] In addition to that, I think it’s a systemic problem which we definitely have to deal with. Another thing is that being least privilege, meaning giving the minimum permissions that are required to do any piece of work that you need to do is maximum effort. It really, really requires you do a lot of work to just define the narrowest scope of things and it doesn’t also scale for large environments. Large environments are dynamic. People need to pop in and out of positions and you need to be able to handle that without stopping the business.
[David Spark] That’s a super good point and I like that line – least privileged is the maximum amount of effort if you go extreme. Andy?
[Andy Ellis] Yep. So, I’ve started to think about how do you measure utilization as a way of getting towards access rights management, which is if I consider a grant to be the unit of a person or a machine that has access to do a thing, I count how many grants I have and I count how many are being used. And that gives me some measure towards least privilege. I’m a fan of thinking of least privilege as this destination on the horizon that you want to take the easy steps toward, but maybe you don’t want to cross the desert of totally fine graining it. But if you have 50 accounts that have AWS full admin permissions and only one of them is using them, that’s a quick and easy win of eliminate the other 49 from this one thing. And that might be 50% of your risk just went away because you took away a huge swath of permissions from a huge group of people and maybe you’ve still got like five people who have slightly overbroad permissions. But you got rid of 49 people with wicked overbroad permissions.
[David Spark] So, what I’m also hearing is there is a diminishing rate of return on least privileged management. Yes, Joav?
[Yoav Alon] Definitely. Doing everything to the extreme has diminishing returns. We don’t take anything else in our cloud or in our lives to those extremes. If you go to the gym and you lift 500 pounds, doing the 510 pounds is harder than doing 0 to 500 pounds of dead lift. So, everything in life has diminishing returns in that sense.
Sponsor – Orca Security
[David Spark] Joav, how long has Orca Security been around?
[Yoav Alon] Orca’s been around for four years.
[David Spark] All right. I want you to think back and think about what Orca Security was in that first year and where it is now. Tell me, what has been the greatest change in the cloud security business you’ve seen? I guess over the past three-plus years.
[Yoav Alon] So, the cloud has grown tremendously in those three years. The amounts of attack surface that the cloud has just exponentially grew. When I joined Orca, 8 of us had 100 services, now it has more than 260 services, and we’ve seen the same tremendous growth in the amount of people joining in the space. The problem is that the demand is so big and security experience, security practitioners in the cloud are in very short demand, and it makes the entire challenge of building your cloud security organization and practices very hard.
[David Spark] So, what are you doing now in cloud security with Orca that you simply were not doing or doing to a minimal extent three years ago?
[Yoav Alon] So, we have expanded our support to many other clouds including ones that are not very common. We’ve added a very comprehensive data security piece where we analyze and show you where the data is and not just which one has access to it. And we’ve given you a lot of information around API security and a lot more data around shifting the workloads left. So, giving you tools and governance around to your developers and to build the governance tools to prevent issues from getting to production.
[David Spark] Excellent. Well, I want to mention to our audience who’s not as familiar with Orca Security, let me give them a little information about Orca. So, Orca Security is the pioneer of agentless cloud security that is trusted by hundreds of enterprises globally. Orca makes cloud security possible for enterprises moving to and scaling in the cloud with its patented SideScanning technology and Unified Data Model. The Orca Cloud Security Platform delivers the most comprehensive coverage and visibility of all risks across the cloud. So, with continuous first-to-market innovations and expertise, the Orca platform ensures security teams quickly identify and remediate risks to keep their businesses secure. You connect your first account in minutes by visiting their site, it’s just www.orca.security. There’s no dotcom here. It’s just orca.security. That’s all you need to do. And Orca’s spelled like the whale.
[Andy Ellis] It’s not a whale, it’s a dolphin. Sorry, I have to be very specific there.
[David Spark] Okay, it’s a dolphin.
[Andy Ellis] Yeah. Orcas are in the dolphin family. They’re called killer whales because they are whale killers.
[David Spark] Ah!
[Andy Ellis] That’s the actual origin of killer whale.
[David Spark] Now we know.
What should we be measuring?
[David Spark] Stu Hirst, CISO of Trustpilot, said, “Create a cloud-specific risk framework. What are the highest impact risks to our cloud environment and what controls/guardrails are currently in place and are they monitored/alerted on. That gave us the ‘why’ when it came to the delivery of improvements. Without it, it’s just chipping away at issues.” Jerich Beason, commercial CISO over at Capital One, said, “Built a dedicated Cloud SOC. The tools, skills, and playbooks are different in cloud environments and separating the traditional SOC – security operations center – from the cloud SOC made each function more effective.” So, Andy, I’m going to throw this to you. These are some interesting cloud… I like the idea of the cloud-specific framework and the cloud SOC. Do organizations actually do this?
[Andy Ellis] So, I think what organizations need to do is separate detailed metrics from high-level KPIs and measurements of effectiveness. Frank Kamresen [Phonetic 00:15:17] had something on LinkedIn where he showed the different languages between the technical layer and the executive layer, and I think it really fits in here. Which is you do want to measure your controls and are they individually working, but the real question you need to be able to talk at your board or your C-level executives with is how effective overall is our cloud security program. And you don’t do that by throwing up 75 metrics and asking them to try to read them and figure out what they all mean. You need to consolidate that into some measure both of effectiveness and of maturity.
[David Spark] Effectiveness and maturity. Which, by the way, I would also say would speak for the whole security program as well.
[Andy Ellis] Right. B In order to find maturity for those who wonder like, “Why would you measure maturity?” Maturity is what happens when the executives stop looking.
[David Spark] Oh, they also stop asking, “How secure are we?”
[Andy Ellis] Right. If you stop asking the questions, how secure will you remain when people are like, “Oh, this is no longer a priority.” Maturity is what keeps you going.
[David Spark] So, this cloud-specific way of attacking it through frameworks, through SOC, Joav, what does that bring to the organization?
[Yoav Alon] I would start by saying that creating a cloud-specific risk framework requires a lot of expertise. And going back to what Andy says about maturity and governance, when we were starting out, there are a lot of really good frameworks out there done by real professionals that you can just take and use it as it is and then go ahead and rework to meet your business needs. Otherwise, just starting from a very high bar of creating your own cloud framework could be very hard for organizations. For the metrics I would track if I were, I would track the ability for the IT process as a whole to make changes. Because most organizations have great tools for detecting the issues and great tools for finding what needs to be done but have a really hard time executing that at scale. And I think that when you go to measure something, I think you should be measuring your ability to deploy security changes while trusting that your security organization is telling you what to do and those being the right things, the most important things.
[David Spark] So, I want to double down what you said in the previous segment in this segment. You’re offering some realism around cloud security which I greatly appreciate, which is the “Yeah, you can do that if you have all the expertise in the world,” and “Yeah, you can do that but that’s going to take a ton of work.” And I like this idea of your security program should be what can we actually do easily, and non-experts do easily. Which seems to be the thing that’s holding a lot of people back. I’m going to toss this to you, Andy. Is that what holds a lot of people back in cloud is the feeling that they need expertise and that they can’t do it without expertise?
[David Spark] Well, I think that’s a piece of it is it’s such this giant thing to tackle and it’s like where do you start. And I think what I liked Joav said is like just measure one thing. Just take and go to CSA and grab their framework. If you have one you prefer, great, use that too. I’m not attached to any specific framework. I think of frameworks as being like if you go to a ride at an amusement park and there’s a little sign that says, “You must be at least this tall,” it doesn’t mean you’re going to be safe because you’re that tall. But you’re certainly unsafe if you’re not that tall. That’s what frameworks do for you. They help you get tall enough to be on the ride. So, pick one, and just start tackling it.
And if you run into a thing that you’re like, “I don’t know how to do this,” fortunately we have this thing called the internet, it’s very lovely, it will answer almost any question for you if you go to the right place. Find out how to do it. That could be using a cloud native tool to solve a problem. It could be using a vendor product to tell you how to solve the problem. There’s lots of different ways. And just start tackling through one by one and measure your efficacy, but Joav’s point of measure how much it costs you to get a change done. Because if you’re spending way too much time fighting on one type of change, stop and move to the next thing. Because it might be that nobody believes you that that’s important. It might be that your IT organization can’t make changes. You should figure out which one so you can try to tackle those separately.
[Yoav Alon] Going back to what Andy says, the internet is real, but ChatGPT is also amazing. You can definitely reach out to it and ask questions, even on security and AWS compliance. It gives a pretty good answer, so try that.
What’s the best tool for the job?
[David Spark] Jarred White of Sente Security said, “Utilize native tools,” kind of what you were just refencing, Andy, “Where they’re already available. GitHub, AWS, and other services you may already be paying for have many native capabilities that can move the needle on security and quality.” And Darwin Salazar of Datadog said, “Develop a robust resource tagging strategy.” Ah, we hear this a lot. “Not only does it help with cost management but also the compliance, security accountability, and provides necessary context for prioritization of risks and threats.” And Darwin offers the following, “A few resource tags to consider enforcing are Team, Resource Owner, Environment, App Supported, and Data Types.” So, Darwin makes a really good point about tagging, but I do want to go back to Jarred’s comment here about leaning on the resources, the tools you’re probably already paying for like GitHub and AWS. Is that a good strategy right there, Joav? It seems like it’d be appropriate, yes?
[Yoav Alon] Yeah, definitely taking advantage of the things that you bought and paid for is a great way to save money and actually start out with good basics. The only caveat or nuance I would add to that is it works as long as you have fairly small organizations. And if you think that your organization can use one tool specifically dedicated for, I don’t know, AWS, once you go past a certain point, you discover that you have stumbled into multicloud where your organization buys another organization, or that you have decided to merge with another one. And all of those things together requires you to go past the tools that are purpose-built for one platform and go to tools that are more generic and work on all platforms.
[David Spark] And I will just add we’ve heard this before, it’s an extremely good point, but tagging is tough, and a lot of people don’t do it. Yes, Andy? You’re nodding your head.
[Andy Ellis] So, what most people forget about because I love the first two tags which are Team and Resource Owner and I have to say what do you do when there’s a reorg or when somebody moves jobs or quits or someone new comes in.
[David Spark] Does that happen at companies?
[Andy Ellis] I hear it might happen once or twice. But unless you understand how to solve those problems upfront, think about just a step of indirection, which is imagine you have 75 resources that are part of Project Foo and what you really want to do is sort of have a tag that says, “This is Project Foo which has an indirection to who owns that.” So, you only have to update that indirection when Project Foo changes who its owner is instead of going in and changing 75 resources manually. That’s an example. You might do it a different way. But I think people don’t really think about how you manage tags. It’s not just a tag once and forget about it. Tags have to be maintained and managed to be useful.
[David Spark] That’s a very good point right there.
[David Spark] Well, that brings us to the very end of this show, and this is where I am going to ask both of you your favorite quote and why. And Joav, I will begin with you. Which quote was your favorite and why?
[Yoav Alon] So, I’ll go back to Salazar’s quote. I think it’s simple. Everyone can start doing it. I think it enables a lot of cool things. You don’t have to think about all the scaling problems when you start but it’s definitely one of those things when you go big, you have to start managing it as any things at scale.
[David Spark] Let me ask you a question. Have you ever had a customer come to you that is already tagging and makes your life incredibly easy? Does that ever happen?
[Yoav Alon] Yes. And it enables a lot of things that are difficult otherwise. Like if you have a few organizations, business units that are sharing the same cloud or same EPC or even sharing the same machines, having tags that separate them allows us to give them tools to build different compliance suites or being able to route the alerts to the right people. It’s a really, really powerful tool when it starts. And I have to say from a billing perspective, being able to go to the engineering manager and tell him, “Hey, you’ve been neglecting your duties. Please do something with this cloud bill and not start like a murder mystery where who’s responsible for this resource.” It’s a great way to start.
[David Spark] All right. That’s one of our good pieces of advice. Start tagging if you’re not already. Andy, your favorite quote and why.
[Andy Ellis] So, my favorite quote is not one that you picked, David.
[David Spark] Okay.
[Andy Ellis] Which is okay. But it’s a more general one which was Graham Freeman over at OpenSolar who said he convinced company leadership to demonstrate through their actions that it’s safe to make honest human mistakes and that we’ll work together as a team to resolve resulting problems. He then goes on to talk about all the benefits that this has. This is one of the most important things on your cloud journey. You are going to make mistakes as an organization, as a team, as individuals. And unless people see that it’s safe to acknowledge and admit to a mistake so that we can all get better, what you’re going to find is people are hiding their mistakes. So, one of the rules that I used to have that I loved was related, was when our internal developers found defects in software that they had written. Not third-party defects but their own. We let them set their own timeline for fixing it. We didn’t enforce this hard-coded, “Oh, my God. That’s critical. Drop everything and fix it.” Because we wanted them to feel safe admitting the mistakes and we were worried that if we made it painful, they would stop admitting mistakes and stop revealing that they had found these defects.
[David Spark] By the way, great solution to that problem because that’s always my concern. This goes outside of cloud security like with phishing tests where you hear this all the time, “If you made a mistake, just tell us. Trust me, you won’t get in trouble.” They say that but nobody really believes it.
[Andy Ellis] Right.
[David Spark] And that, by the way, a great solution to that as well. But let me throw this out. Everyone’s fear of making a mistake and admitting to it because they know that a cloud mistake can explode to a level that seems uncontrollable. My feeling is most people are like, “Yikes.” They don’t want to admit when they…
[Andy Ellis] But what’s worse than the admitted cloud mistake is the hidden cloud mistake. They might both explode but if I don’t know about it, then it’s definitely going to explode at some point. But if I know about it, hey, let’s go clean that up. Because we will find you. Like if you made the mistake and it’s already blown up, we’re going to figure out when we due diligence to figure out how this happened, we’ll know who triggered it. As soon as you know you triggered it, just say, “Hey, I triggered it. Let’s clean it up.” And then I’m a big fan of Nancy Leveson who’s a professor at MIT who studies complex systems, and she says – it’s my favorite quote – “Human error is a symptom of a system in need of redesign.”
[David Spark] Good line. Good line, I like that. All right. Well, we have come to the end of this very show. Joav, that was phenomenal. Thank you so much. I love the bringing the realism to this very broad, tough subject. A huge thanks to your company Orca Security. For those people who do not know how to get there, you would just type in orca as in the large dolphin, not the whale, orca.security. That’s it, just orca.security. You’ll get there. Any suggestions for our audience? Are you hiring? Do you have an offer for our audience? What do you want to send them to?
[Yoav Alon] One of the things that we do is we offer a free risk assessment which is essentially you just plug in your details, and we’ll give you a report for your state. It’s a good way to see where you stand along a lot of metrics and it’s really easy to get started. It’s basically a sign-in sheet on our website and you get a lot of, lot of information. People who have not became Orca customers found it very helpful.
[David Spark] Now, let me just pause on that. This is something that we hear a lot of vendors offer and I don’t think enough people take them up on it because a lot of people are scared about what they’re going to find. And they always say, “Well, they’re going to find something and then I’m going to have to go fix it.” And going back to Andy’s comment earlier, better to find out a known problem than an unknown problem. So, take Joav up on his offer to get that free assessment. You’re not going to be happy, like nothing comes back saying, “Oh, you’re perfect,” right? Nothing comes back like that. Well, you’re not going to be happy with it, happy to see that you’ve got problems. You’re going to be happy to know that you know what they are, and you have an action plan. What were you about to say, Joav?
[Yoav Alon] What I want to say is that the most critical things, the worst nightmare scenarios, are usually very easily fixable. The highest, the most critical issues, people just come and do as quickly as possible, you can get very quick organization backing for those. The hard parts are everything that is not super critical. It’s the middle things where you have to build processes and tools. But if you think you’ll find something that is terrible, it will be very easy for you to get a lot of support to fix that.
[David Spark] Thank you very much, Joav. That is great, great advice right there. Andy, do you have any closing comments on today’s show?
[Andy Ellis] It’s a hard challenge for folks. You’re moving into cloud security. You don’t know what every cloud brings. We didn’t even talk about multicloud today.
[David Spark] No. That’s a whole episode in itself.
[Andy Ellis] A whole episode, how we all thought multicloud was going to be we would build cloud agnostically and be able to move our workloads. And instead, you just bought another company and now you have a million workloads and a new cloud, and you don’t even know how to use that cloud. This is a hard problem but just start, start moving, and think about asset management in parallel to whatever your framework is. So, don’t wait till you know what all your assets are to get started. Get started on both of them in parallel. Build out your matrix. Make sure that you’re actually applying your controls to all of the places that need them.
[David Spark] Good advice. I want to thank our audience so much for all their continued support and for their contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at email@example.com. Thank you for listening to Defense in Depth.