Cloud Security Interview with Ashish Rajan, Cloud Security Podcast Host
After the Revolve Job Zero security press review, we offer a new regular format on Cloud security. In this interviews, we meet security specialists who work on Cloud, to review trends and practices: Cloud security toolbox, fundamental changes, impacts of the health crisis, transformation of the security profession…
Our guest today is Ashish Rajan, CISO and Cloud Security Podcast host. Ashish help businesses with Cybersecurity in Public Cloud.
What are the tools and services that you use ?
It depends on the size and cloud footprint company that you are working with. A lot of enterprises use CSPM (Cloud Security Posture Management), that was pretty much the first thing that most people jump on when you reach a certain scale in Cloud that can’t be managed using the Cloud Service Provider tools. Another factor for tools is depending on the skills in the security team there would be in house or open source / free version tools.
There are other tools that as the complexity of the cloud is increasing you would require. We no longer just have Virtual machines, we have containers, serverless applications, so your traditional CSPM doesn’t really work, it doesn’t understand that kind of compute.
So for serverless and containers, we are looking at things like CNAPP (Cloud native Application Protection Platform), or containers workload management. Thanks to Gartner we have 4 or 5 more acronyms now : CSPM, CWPP, CNAPP and now there is a new one SSPM (SaaS Security Posture Management). It’s almost like a menu with tools that you can choose depending on how much you care about covering all kinds of compute in your organisation. In some organisations that I worked with they decided to not have security tools for serverless because they use serverless only for backend functions. And this is just the infrastructure side – from the application side, that’s a whole another story.
Listen Cloud Security Podcast « Threat Hunting in AWS » :
Are some tools lacking ?
There are definitely gaps in the existing market, and these gaps exist because of the nature of the organisation the professional may be working with. For example, there are PCI or SOC or CIS benchmarks available for people to use, but not every requirement is completely applicable for all companies. If you are not dealing with credit card information, what is the point of the PCI benchmark ? There is a difference between what is applicable versus what is mandatory through compliance requirements. Tools try to solve this problem in one dashboard but since not everything applies most times organisations have to either disable things they don’t need or ignore most of the not benchmarks as false positives not as Not Applicable.
On top of that, the right tool for any job depends also on what kind of applications you have, if you are public facing, or if you have API based services. At the moment, API security is not really covered by most cloud security . Amazon or Azure says you should use our WAF, but API security is not the same as a WAF. WAF is a web protocol, API is API, it’s REST, Json… it is totally different. That’s the gap that I see.
Another thing that is often overlooked and lacks tooling is data security, companies are still unsure what kind of data they have in the cloud. In an online meeting, what data is on the cloud ? Personal data, company data ? Data security, from a tooling perspective, hasn’t really been sorted in the cloud space. There are solutions missing in this space too.
What are regulations in Australia regarding data management ? Or Cloud sovereignty ?
Data Privacy Act is most relevant from a data management and data regulation standpoint in Australia. Data sovereignty is still an issue too by the way. Governments want the services they use and their citizen data to be in their country, and sometimes even within the state: the data cannot leave from that region. Like many countries around the world for us in Australia, there are certain data-types that cannot leave the premises of our state or the country.
There are government regulations and in addition each company defines their data classification and data management policies. These policies help the employees navigate questions around what kind of data can be consumed, stored and processed by the organisation. What steps should they take to be compliant with GDPR, so I know that citizen data is safe.
But beyond that, in most big data projects education on how to work securely with personal information, confidential data or sensitive data is not being addressed like it should. Unless there is a process defined for handling and managing data, very few data projects are either aware or even would be able to address their data privacy or data security policy requirements.
What are the most important security challenges on the Cloud, and AWS Cloud ?
It is probably the complexity. Cloud is so complex, anyone who has been working on AWS for 6 or 7 years still would not know every area of AWS or any other Cloud Service Provider for that matter. It is the biggest challenge of the cloud, and at the moment a lot of us are in organisations with a multi Cloud environment : AWS, Azure, Oracle, Google Cloud, IBM Cloud and more. What it means for me as a Security Leader is that in my team I would need to have a person or at least two people who know each one of these cloud providers very well, or well enough that they can protect it.
Lack of right education in Cloud Security is another challenge. Cloud providers recommend passing their certificates to be qualified in their respective public cloud, but most of us have to deal with companies that are primary on all the cloud providers. Sometimes our customers are on premise and public cloud providers, sometimes on premise, and public cloud, and private cloud … the complexity and the lack of specific skills are the biggest challenges. This is one of the reasons why we started Cloud Security Podcast & Cloud Security News to close the educational gap and share a platform where professionals can come and share their knowledge and stay updated on what’s happening in the Cloud Security space on a weekly basis.
What is the impact on security tools according to you ? What about managed CSP security tools in a multi cloud approach ?
It depends on what cloud provider you are using. If you are mainly on AWS, and suddenly you want to add Azure or Google to your mix, the strategy recommended by AWS will work. From a security perspective, as a CISO, I am responsible for security across all Cloud providers that are in my organisation, not just AWS. Having Azure in the mix could be a plus or interesting if that’s where most of your major workload is, because Azure has made a really interesting move with Azure Sentinel, which can be used for Google, AWS in “convoluted way” but it’s possible! You can still use Cloud provider security services if you want to, or external party products. Eitherways, as a security specialist, you have to anticipate the reality that your company will be multi-cloud one day even if it may not be multi-cloud today.
About monitoring, I would advise as a first step to use third party communication services like Slack or Microsoft Teams to communicate all security events. It’s a first step, it’s still very basic, you still have to identify what alerts are the most relevant. This is basic maturity, because this requires a lot of work into each cloud service provider to identify what alerts are relevant and only send them to Slack to reduce noise. The downside is that your security is spread across multiple channels, and it consumes a lot of time. Next, you will need a tool that manages all your alerts centrally using a third party application like a SIEM or Observability Tool etc.
Covid crisis, how did it impact your work? Remote work ?
For us, the company started on premise, we moved to cloud 7 years ago, and it was interesting to see the transition from desktop to laptops. Most big organisations that I know still have enterprise managed desktops, because they didn’t want to access the network from outside the office. With Covid, everyone worked from home, with laptops, everyone got a VPN connection. Adoption of Cloud and SAAS services started to have a lot of traction, because it was the quickest way to access services and be productive without the overhead of managing a desktop server for that application.
COVID has flipped the threat model upside down : the internal threat is the same as the external threat now. If you are not inside my office, you have the same threat level, being in Australia or in France. Every traditional threat model that was made for people working from the office was not relevant anymore – technically, anyone is an external threat, as no one is behind my firewall. That is why we have seen a lot of conversations in 2021 around zero trust. So far, we are still at the beginning of this, but I think we really make good progress towards zero trust if we focus on fixing and managing identity management effectively first.
A lot of employees are now working remotely, and sometimes overseas. An acquaintance of mine moved to Egypt, she started doing Australian office hours from Egypt. From a security point of view, it’s a new person, in a new country, even if she is an employee. How do we manage that ? These were the challenges that were interesting to solve during Covid.
From a tooling perspective, responding to the Covid crisis implied a lot of VPN and limiting access to resources from the internet for company devices. Also, how do we deal with the loss of a device, like a laptop stolen ? To summarise, there is now a lot more focus on Identity management and also Asset management which got a lot of attention too, especially after the recent log4j findings from December 2021. People are talking more about data security in a remote world as well – you can copy enterprise data at home, I wouldn’t even know, or you could be recording the data on your phone.
Switching from security on premise to the cloud, how did it change the security mindset and the way you work ?
It definitely has evolved. Seven years ago when I started in the Cloud, I was not aware of the concept of automation and automating security. For me at that point we always had to monitor, we couldn’t do automation for monitoring. Moving to the Cloud has opened up possibilities for security, like automation. Identity is more important than IP addresses in a cloud world; it changed fundamental security thinking, because on premise security heavily relied on IP addresses. In a Cloud world, IPs change every five minutes, so you can’t use that as a way to block or allow traffic. Identity of an employee logging in as a person or doing some task is more important : is that a legitimate task? Or some kind of malicious task ?
Women in security and IT ? How is it in Australia ?
The lack of diversity is a problem in general in the tech community. As a friend of mine told me, being female friendly doesn’t mean you have to make everything pink, it just means being equal. I feel that in the tech community it is definitely changing, diversity is coming in the tech community, but I don’t think it has really changed at the same pace in cybersecurity. I hired 3 people in the last year, and out of 55 applications, I only had 2 women. I am not sure of the reason: are they not applying to this job, are they already employed, perhaps they haven’t seen the job ad, or think they don’t have the experience? This is definitely something I’m personally interested in improving.
Does the cloud accelerate security or does it bring more threats ?
It’s a balance between what we have been doing so far on premise, and what we have to learn in the new world of cloud security. Earlier I took the example of IP vs identity, or the rise of automation but the harder balance to find is a cultural balance. For us, traditionally my security colleagues and I have always been seen as working on network security components like firewalls or application security, not seen as doing automation. Automation was for engineers or developers not for cybersecurity. That changed with Cloud – you have more security cloud engineers, automating security products on a daily basis while working in DevOps environments .
What is new is that CyberSecurity now needs to involve a lot more people. In order to have a successful security project you have to onboard developers and a lot of other teams in the company to do security efficiently. Cloud providers are running way faster than any company out there, any service you can think of from your Cloud Service provider has a 50 or more people team behind it, and you just have one use case with that product. What it means for us, as security engineers, is that if you don’t work with developers and devops, we will continue to be behind the 8 ball unless we also keep up with the Cloud provider’s pace as it grows within the organisation. This is how the cloud will accelerate security by collaboration and automation.
What are the Cloud trends you have seen around the world ?
Australia, New Zealand, United States and UK have a massive AWS usage, while Europe is primarily on Azure, and a little GCP too.
In the Middle East, Oracle Cloud is popular. Oracle did this clever move to create data centers where there were no AWS, Azure or GCP datacenters.