Jan 10, 2022
First, we asked our panel of cybersecurity experts to tell us their best cloud compliance strategies for 2022.
Now we’re back to the well to get their take on the things you should avoid in your cloud security and compliance program in 2022.
“Avoid excessive data collection and storage. The principles of data minimization are more important than ever as data breaches are occurring at unprecedented rates. The old adage of ‘you can’t lose what you don’t have’ has never been truer, and it’s a practical, easily implemented, and privacy-first approach every organization should practice.”
“The first thing organizations must not do in 2022 is treat their cloud environment as a mere extension of their on-premises environment. Doing so will result in an ineffective, high-cost security strategy that misses the mark. Public cloud is far more complex and dynamic than on-premises environments, and must be secured in a completely different way.
The second thing organizations must not do is manage cloud security by looking at risk areas such as misconfigurations, vulnerabilities, and identity and access management as separate issues. It is only when you look at risks holistically that you can see how seemingly unrelated issues can be combined to create dangerous attack vectors and quickly identify the truly critical risks that affect your overall posture.”
“Never rely solely on 1990s security principles, architectures, and frameworks however comforting they can be. But who am I kidding? Many organizations — especially where security is driven by compliance — do rely on the 20-30-year-old practices that, frankly, don’t fit today’s cloud-native, digital world. So, my ‘one thing to not do’ is a bit tongue in cheek, but it does point at the need to evolve security and compliance alongside IT and business evolution.”
“Don’t plan. The goal should be to meet with key stakeholders – including security, operations, engineering, legal, finance, etc. – to understand compliance requirements and the work required across teams. Then, you can make a plan that you can execute so you don’t have to scramble to meet regulations or get bogged down with point-in-time audits that will torture your teams.”
“Don’t turn on your application. If you must turn your application on, then the next mistake is to assume you have a complete view of your cloud resources.
If you use an agent-based system, you must assume you are missing visibility of no less than 20% of your resources. It’s guaranteed. You have developers who bring up resources in non-production environments and don’t use the Docker images from DevOps. It’s guaranteed your developers are not including your agent in their builds. This means you don’t have agents on many, or even most, of your resources. In other words, you are fully exposed.
If you use an agentless solution, your next concern should be whether DevOps and Development are sandbagging: They are hiding the real vulnerability risk from you. They tell you they apply patches regularly. They do not. Get a visibility service to prove to them they are not patching vulnerabilities. Usually, they simply don’t know they are behind because they are too busy to pay attention.”
“Never act as though security and compliance failures will not happen to your organization’s use of IT services. Never believe that your organization will not be hit by ransomware or that you will not suffer a data breach. Never base your business continuity plan on the assumption that a business-critical cloud service will provide 100% availability. Never fail to limit privileged access to all IT services, including cloud. Never assume that your application code is free from exploitable vulnerabilities. Never fail to control the network traffic within your cloud services as well as to and from them. Never believe that because the cloud service is certified or attested to be compliant that this means your use of the service satisfies your compliance obligations. Never trust the encryption provided by a cloud service unless you keep control over the encryption keys.”
“The one thing to not do is stay manual and slow. It’s 2022! Public clouds are becoming more complex than ever, automation is taking over and with a blink of an eye, scale goes from manageable to nightmarish. If you rely on manual, slow processes to keep your cloud secure and compliant, you’re bringing a knife to a gunfight. It might already be too late.”
“Multi-cloud is here to stay and likely to be more common throughout 2022. Trying to tackle all the three or more cloud service providers you may have in your organization without a team that is trained in each of the cloud service providers will be really hard. Invest in a team with at least one or more individuals with the skill sets of each of the cloud service providers you have in your organization. Security and compliance will not work without the right team.”
“Risk avoidance or not prioritizing cloud security. Make sure your investments in cloud security and compliance keep pace with your cloud migrations, expansions, or multi-cloud strategy. If you have a limited budget, start with native tooling and services, then push for proportional increases in your cloud security budget as your cloud infrastructure grows.”
“In the spirit of zero trust, never trust and always verify. Adopting a zero-trust approach to cloud security may be a more arduous approach to begin with but will pay dividends in the long run because it is a proactive approach that can reduce your attack surface even before workloads have gone into the production environment.”
“Organizations should not view cloud security as a one-time effort and avoid adopting a ‘task-based’ approach. For instance, thinking, “If we just clean up our privileged roles we’ll be safe,” or, “If we secure our public buckets we won’t be breached,” is a narrow view and could result in more important issues being overlooked. Organizations can improve their cloud security posture when they start to think about cloud security as a continuous effort and focus on the process rather than individual tasks. Using tools that can provide the ‘bigger picture’ along with effective mitigation instructions for detected risks, allows teams to focus on top priority items and address risk as part of ongoing efforts, which is key to a robust cloud security posture.”
“Never forget that you may outsource the work but never the risk. The increasing pace of security exposures, scarcity of cybersecurity professionals, and technology sprawl places demands on organizations that exceed their capacity. Most turn to some sort of outsourcing through service providers, contractors, or technology partners. Using SLAs, continuous monitoring, and personal relationships, enterprises must never fail to govern these external teams just as they would an internal team. In 2022, we’ll see enterprises suffer the consequences of breaches because they trusted an outsourced provider but failed to verify and govern.”
“Don’t just assume that because you wrote a policy, you’re covered. Too many security controls fail because they aren’t well implemented across your entire organization, and if you’re not a cloud-native company, then it’s quite possible that your existing (legacy) policies are only applied in your data centers. Make sure the scope of all of your controls actually includes the cloud.”