IT Briefcase Exclusive Interview: Cloud Security Jiu-Jitsu
July 19, 2017 No CommentsAs businesses migrate to public, private or hybrid clouds, serious attention must be paid to cybersecurity. The anti-malware and network security strategies used for the last thirty years aren’t working in the cloud. According to Gartner’s March 2017 Market Guide for Cloud Workload Protection Platforms, 60% of server workloads will use application control in lieu of antivirus by 2019 — an increase from 30% in 2017. But what are the differences between traditional security strategies for endpoints and the tools needed for cloud-based applications and workloads? Lacework CEO Jack Kudale takes a look at the cloud security challenges.
- Q. Why are enterprises adopting the cloud at such a high rate and what are the major challenges faced when first adopting a cloud strategy?
A. First, the cloud is much easier to scale with changing demand. For many organizations, instant scalability is critical for business success. Second, today’s enterprises don’t want to own infrastructure. Hardware needs care and feeding, and investments quickly become obsolete. Finally, cloud-based solutions accelerate the pace of innovation because applications can roll out faster and with far less friction.
Simply lifting and shifting on-prem applications to the cloud won’t deliver the benefits organizations seek. Cloud transitions aren’t simply changes of venue, they’re changes in mindset. And the security mindset needs a reset.
- Q. Why do we need to reset how we think about cloud security?
A. For decades we’ve focused on protecting devices as they interact with a relatively stable and closely managed infrastructure. The behavior of these endpoints is incredibly complex: they can browse a universe of web sites, run spreadsheets and stream Netflix at 3 AM. We lean on network firewalls and perimeter defenses because the infrastructure is stable and they are easy to implement and maintain. Behavioral complexity at the endpoint drives complex rules, policies and signatures, but it’s doable when the machines you’re protecting change at “HR speed” (when someone gets hired or fired).
Cloud solutions turn this pattern on its head. Behaviorally, clouds are relatively simple: web servers dish up pages, APIs respond to requests, mobile backends respond to clients. It would be very odd for a cloud server to suddenly download a random video. Cloud infrastructure is far more complex and dynamic, supporting thousands of similar machines, processes, users, containers, applications, and network entities. And they come and go really fast. DevOps practices accelerate the pace so typical cloud solutions are only getting more dynamic.
- Q. How should security professionals adapt to the cloud?
A. Protection based on an anti-virus (or network) mindset has to give way to security that focuses on application behavior. Enterprises that try to lift-and-shift to the cloud often get blindsided when firewall rules, IPS policies, malware signatures, and server-centric licensing models explode in complexity. Unfortunately, this can result in significant cost overruns and security vulnerabilities.
Focusing on cloud behaviors can save the day because these behaviors are fairly consistent. If we can understand what each cloud entity is supposed to be doing, and spot when it does something out of the ordinary, we can deliver effective security without rules, policies and signatures.
- Q. That sounds promising, but is it really possible to benchmark application behaviors?
A. Five years ago, my answer would have been no. But with new machine learning and big data analytics tools at our disposal, we can do it. Cloud-hosted applications operate in predictable ways, and with today’s technologies we can automatically establish a baseline. With the baseline, we can easily spot abnormal cyberattack behavior.
Think about it this way: baselining implements the essential security principle of least privilege, which says that no entity should be allowed to do any more than it is meant to do. By limiting entity behavior to a very tight allowable corridor, attackers have a difficult time causing problems. The leash is just too tight. It’s a method that works with the fundamental way the cloud operates.
- Q. What role does Lacework technology play in cloud security?
A. We use machine learning to group cloud entities based on common behaviors, and create a baseline of normal behavior for these entities. With the baseline, analysis is presented to security staff in a way that is more meaningful, providing true actionable insights. Instead of spending hours correlating events from different systems, security engineering can rapidly identify anomalies and spend more time and energy remediating vulnerabilities. Lacework eliminates the reliance on labor-intensive policy and rule development and time-consuming log correlation activities.
We see ourselves as a vital part of a bigger picture. Cloud infrastructure is intricately complex and our commitment to seamlessly and natively integrate Lacework into the cloud fabric it secures simplifies what can be a very complicated process.
- Q. Can you give us a specific example of a Lacework deployment?
A. Snowflake is a major cloud-based data-warehousing company that runs on Amazon Web Services (AWS). They need to ensure the security of the data they manage for their customers. However, these AWS environments are highly dynamic and change at rapid rates. Conventional security tools were becoming too slow to adapt to ongoing changes, creating bottlenecks, inefficiencies and unnecessary overhead in daily operations.
Snowflake deployed Lacework in a matter of hours on a few virtual machines (VMs). Today, Lacework runs Polygraph on an average of 200 VMs, including their highly dynamic Jenkins environment, and uses it to provide detailed insights and visibility into Snowflake’s workloads and AWS environments.
Their security team used to spend two to three hours a day configuring, tweaking and analyzing events and alerts. Now they spend fifteen to twenty minutes. This sort of integration is the future of cybersecurity. Third-party, integrated software can provide better, faster threat detection with full visibility.
- Q. What final advice would you have for a security professional moving to the cloud?
A. Don’t lift-and-shift your on-prem security approach to the cloud. Do a little cloud security jiu-jitsu: use the cloud’s own truth to protect it. Don’t get caught in the trap of rules, policies and log analysis.
Jack Kudale is the Chief Executive Officer at Lacework. He is a global enterprise software leader, entrepreneur and mentor with unique experience in startup ecosystems, global field sales execution, product management, and global market strategy. Kudale is a champion of cybersecurity, hybrid cloud integration, enterprise DevOps, and mobile broadband.