Jonathan Jaffe, CISO at Lemonade and Andras Cser, vice president and principal analyst at Forrester, discuss the demands of large-scale, multi-cloud deployments and cloud security complexity

Just a few years ago, the cloud was viewed by many as an experiment. Today, organizations have moved beyond trials and proof-of-concept. Enterprises are no longer pondering if or when to move to the cloud, but how’? The cloud is now central to most enterprises’ IT strategy.

The cloud promised and delivered many things: ubiquity, availability, reliability, and scalability. It has also provided simplicity while making compute, network, and storage resources available in minutes with just a few keystrokes.

Migration to the cloud has also brought a degree of unanticipated intricacies, especially when it comes to cloud security complexity. But what does such complexity infer? Does it require a fresh approach?

The answer is yes, according to Andras Cser, vice president and principal analyst at Forrester, and Jonathan Jaffe, CISO at Lemonade. They both recently addressed cloud security complexity and how organizations are evolving to meet the demands of large-scale, multi-cloud deployments. You can watch the entire webinar on-demand and read the highlights below.

The Analyst’s Perspective – Andras Cser, Forrester

Cser thinks it’s a tumultuous time right now in the cloud. One of the biggest challenges he sees is transition. “Five or ten years ago the conversations were, ‘Should we, or should we not move to the cloud? Should we stay on the sidelines and watch what’s going on, or should we jump in?’ Today it’s not a matter of ‘should we,’ but rather ‘How?’”

He says the cloud pulls CISOs in different directions and forces them to think about many aspects, including:

• Lower cost – The cloud offers many excellent benefits: rightsizing, downsizing, scalability, elasticity, and a relatively lower cost of security. Cser estimates if you use cloud-based workloads, the cost of protecting them is 30% less compared to on-premises or private cloud.
• Line of businesses procuring cloud services can cause blind spots – VPs often approve departmental expenses for some kind of cloud services, but then no one knows where they are, what data they contain, how they’re operated, or what security holes might exist.
• CISOs cannot say no all the time – CISOs have to be enablers because they have to work with DevOps, cloud compliance, cloud orchestration, cloud architecture, and security platform teams. They can’t just say, ‘Oh, well, we can’t go to the cloud,’ then block the entire transition.
• The cloud changes all the time – This is a massive problem. Even if one decides to check all the boxes and secure everything, chances are that developers are finding ways to onboard new services that also have to be secured. Many times, this is not possible.
• Regulatory compliance is unrelenting – With HIPAA, GLBA, SOC, ISO, and country-specific mandates, regulations change nonstop. Few can keep up on their own. For end-user organizations, vendors increasingly provide best practices and policy templates to meet such regulatory requirements.
• Agent-based security versus agentless – Some organizations want agents; others don’t. We’re seeing an increasing number of organizations say, ‘Look, there’s this sprawl of agents; let’s try to centralize, unify, and consolidate those agent frameworks.’ And that is very hard to do.

Cser emphasizes the balancing act CISOs need to achieve to increase cloud security while reducing cloud security complexity. “There has been a 100% increase in the number and complexity of all security controls that infrastructure-as-a-service platforms such as AWS, Azure, GCP, IBM, and others provide.” But the onus still falls on their customer organizations to secure their own workloads because of shared security models.

Lemonade CISO Jonathan Jaffe Discovers Agents Aren’t Providing Protection for 25% of Assets

Cloud security veteran Jonathan Jaffe is chief information security officer at Lemonade, a company providing renter, homeowner, pet, and life insurance in the US and Europe. Lemonade, an insurance innovator, was born in the cloud. Jaffe cites this as a competitive advantage that helped create efficiencies to serve a large customer base and pass those efficiencies on in the form of competitive rates.

“In a cloud environment, there is always complexity. By its nature, it’s hard to secure, especially when things are multiplying and changing,” says Jaffe. “Executing 100 different deployments a day is a lot of movement in a live system, and it can be tough to secure.”

Finding and Securing Assets Other Products Missed

Lemonade initially tried an agent-based solution. “I was convinced that agents were good. If you install them comprehensively, you’re going to get really high fidelity. So we elected to go with Lacework.” Having run it for about a year, he and his team ran into problems: too many alerts, too many false positives, and too much time chasing down issues that were not priorities. And he had assumed Lemonade had full coverage with its Lacework deployment.

When Orca debuted its SideScanning technology, Jaffe agreed to a proof of concept.

At first skeptical of Orca’s results, Jaffe says, “I spent a couple of days with DevOps. It found that the staging developers were bringing systems up and down and weren’t using the manifest that DevOps created. What Orca had reported was true, making me realize the value it brings.”

Orca SideScanning – Increasing Cloud Security While Reducing Cloud Security Complexity

Modern cloud architecture dictates that block storage be separate from the live runtime environment, and Orca Security takes full advantage of this.

Rather than integrate with individual workloads, SideScanning reads all workloads at once directly from shared storage. The result provides immediate visibility into all cloud assets without any performance impact.

How it works:

• Orca runs as a SaaS service with read-only access to your AWS, Azure, and/or GCP workloads’ runtime block storage.
• It reconstructs the bits and bytes from the snapshot data to construct a virtual, read-only view of the operating systems, applications, and data – then scans it all for vulnerabilities and risks.
• SideScanning reads the environment metadata, putting alerts in context according to the real attack surfaces; this differs from the machine-by-machine approach used by agents. This permits Orca to prioritize those few alerts that matter most.
• SideScanning automatically discovers every asset in your environment, providing immediate visibility into compromised resources, vulnerabilities, malware, and misconfigurations.
• Because SideScanning goes beyond individual machines to see the entire range of cloud assets, customers can see which risks are critical to their organization.

Orca Security’s revolutionary approach to cloud security – versus yesterday’s on-premise security tools cobbled together to address cloud migrations – is a real game-changer.

Managing Multi-Cloud Deployments While Reducing Cloud Security Complexity

Forrester and Lemonade agree the scale of cloud deployments, plus the changing nature of the cloud, makes securing it a Herculean task. Jaffe summarized it best by saying, “Lemonade is an interesting company in terms of technology and scale. The problem with that is the resulting complexity; this is what ultimately brought us to Orca. It proved its worth in just a few minutes.”

A new breed of cloud security has arrived.