A common misconception about moving to the cloud is that it’s a “lift and shift” type effort, when really, it’s more like lift, ADAPT, and shift. And CISOs have plenty to adapt to. Managing risk at cloud speed and scale takes some getting used to. As does taking on increased accountability for cloud security while ceding control to the R&D teams that design and spin up cloud resources. Still, my experience leading a major cloud migration effort is that moving to the cloud can strengthen an organization’s security posture, if done correctly. One way to make sure that happens is to adopt a holistic approach to cloud security, from the first step in the development process through runtime.

Foundational to a secure cloud migration are several prerequisites:

1. ALWAYS assume you’ll be breached — This mindset is not unique to the cloud, but the cloud has different and exponentially more attack vectors, vulnerabilities, pace, etc. 
2. Implement proactive measures beyond what’s offered by cloud providers — No matter how good your cloud provider’s tools are, it’s risky to rely solely on them to protect your company’s crown jewels.
3. Create a plan for managing the friction between accountability and authority. In the cloud, these don’t really go hand in hand — This is a huge topic that deserves a deep dive, but a fundamental realignment across development and security teams is required for CISOs to effectively protect cloud systems and manage risk.

Remember to shift right

Once you get down to brass tacks, much of the innovation that has occurred in cloud security has focused on “shifting left” or baking security early on and throughout the development process. However, when it was me (and my team) migrating to the cloud, we hit a major roadblock when it came to runtime security. And that matters, A LOT, because regardless of how a company is breached, attacks always unfold at runtime.

The problem is that existing solutions aiming to detect cloud attacks initially started with a specific and/or different objective in mind, such as posture management, or endpoint security. These technologies were aggregated on top of each other and as they expanded their capabilities, it was an ad-hoc build-out that required an unsustainable amount of configuration and maintenance. Plus, we already know that a patchwork of security tools creates gaps and blind spots.

Runtime is where the action is.

There were also technological constraints. However, advancements in cloud technology such as Extended Berkeley Packet Filter (eBPF) are moving cloud security forward. Simply put, eBPF provides organizations with the “boots on the cloud” needed to deal with the next wave of cloud attacks. And regardless of how an attacker breaches an organization, the attack itself  – be it data exfiltration, a crypto miner, etc. – unfolds at runtime. 

And just as cloud environments have different attributes than on-prem networks, cloud attacks manifest in very different ways than those against legacy systems. One especially notable attribute of cloud attacks is their seeming randomness. Cloud attackers don’t use premeditated Tactics, Tools and Procedures (TTPs) because those rarely work within a cloud environment. As a result, mature attack detection tools such as Endpoint Detection and Response (EDR) solutions are far less effective in detecting them. 

Also, cloud attackers often start with one goal in mind (such as placing a cryptominer), and perhaps even an empty VM. But when the opportunity arises to take over an account, access crown jewels or exfiltrate data, they can pounce with a quickness defenders aren’t accustomed to. If that’s not enough, they usually present as a legitimate user. Attacks such as Scarleteel, CCminer and Pyloose provide a whiff of what’s to come, which in turn helps to shape the next generation of cloud defenses.

Bottom line, runtime introduces a new trajectory for cloud security. When strong risk management and security capabilities are baked into the digital transformation effort – from development through runtime  — it shatters the myth that there will always be a trade-off between strong security and a highly productive and connected workforce. 

How Sweet is that?