The Cloud Security Saga with Joseph South
Host: Hi, everyone. This is Purusottam, and thanks for tuning in to Scaletozero podcast. In the previous episode with Joe, we covered IAM security in-depth, focusing on best practices, training, remediation, and much more. In this episode, we'll be covering cloud security. With that, let's get started with part two of the episode.
So each cloud provider has published a shared responsibility model. And as part of that, they highlight that what part of the infrastructure the cloud providers take care of, like from a security perspective, and as a customer, what part are we responsible to secure?
And mostly the cloud providers take care of hardware, networks, stuff like that. And the customers are responsible for IAM or setting up access to compute instances. And on top of that, every year there are many services that are rolled out by each cloud provider. So
how has that complexity evolved over the years as there is more adoption of the cloud? So from a security perspective, what's your take on that?
Joe: Yeah, so, you know, the shared responsibility model is essentially the same across all of the cloud providers. And that's really drilled into you in the CCSP exam where, you know, that certification is geared towards preparing anyone to go into any cloud and secure it. But you know, I do actually want to specify, you know, the cloud provider is responsible, of course, you know, for the hardware and the network.
It's not what you would typically think. You know, they're responsible for, let's say the hard drive, not failing. That hard drive should never fail from your perspective. You know, the server should never fail from your perspective. All these cloud services, they're running on a server in their data center. Um, that that's really all that is. And in terms of the networking, they're responsible for plugging in that cable into the network switch port and ensuring that data is going across it.
They're not enforcing TLS or anything else like that in your environment. It's really all up to you. With that, as a security professional, you have to understand the cloud is always changing, which can be frustrating.
Last year, AWS launched, or well, this past year, 2023, it was a year AWS alone launched 10 new services, right? So that puts their total of services over 200. And so what that tells me is that you know, one, you always have to be learning. And two, the common misconfiguration issues are going to be increased because now you have these new services that are doing different things, interacting with different areas of your environment. And you have to know You know, all of that information and how to secure it. So it just opens up a whole new can of worms basically every year because they're releasing new services every year.
Host: So now, if that's the case, if I'm a cloud practitioner, how should I look at the complexity when it comes to securing my infrastructure? It's I'm creating new servers or I'm using RDS or I'm creating new S3 buckets or I'm deploying my applications and communities. How should I think about the cloud's complexity when I am from a security perspective?
Joe: Yeah, so you have to address it from a couple of different areas. Really, common misconfiguration issues. It's surprising how many public S3 buckets there are that are unencrypted. It's 2023. This issue was big back in 2010, essentially, and we're still having this issue. And then we're talking about pipeline security.
So how are you actually… interacting with the cloud? How are you deploying infrastructure in the cloud? Are you deploying insecure infrastructure in the cloud? Because you know, from a security perspective, I can secure the cloud as much as I possibly want. But if a developer is deploying EC2s that have unencrypted hard drives on it, and they're deploying 10 a day, I'm never going to keep up. I'm like, something has to change with that.
And then of course, I would be focusing on IAM, the least privilege that I talked about, the overly permissive roles and accounts, and ensuring you're only giving people what they need to do their job and nothing more.
Host: Like you're spot on, like misconfigurations, you can definitely use a tool, open source or a vendor, and you can see what are the misconfigurations and you can fix them. But the moment insecure code, insecure infrastructure code gets rolling into your environment, it's more of a cat and mouse game, right? The developers are creating more infrastructure with challenges that you are just trying to catch up and fix them.
So as part of that, a follow-up question to that is, like often cloud practitioners spend a lot of time on the architecture, right? When they are rolling out services or rolling out their workloads, what are the services they are going to use from the cloud? How do they interact with each other? That often increases the attack surface as you touch more and more services. How should organizations sort of ensure that they're doing the right sort of review and keeping that attack surface minimum?
Joe: Yeah, it's a great question. So, you know, having a strong CSPM solution, that's a cloud security posture management solution in the cloud, even if you're only in one cloud, is absolutely critical because it gives you insight into the configuration of your cloud irrespective of the service that you're using. So they have all of the best practices for how to secure different services, and how to deploy secure infrastructure.
And they're just looking in your environment to make sure, hey, this EC2 has an encrypted hard drive. This S3 is encrypted. This S3 is public, but it's not encrypted. Or, you know, all of those sorts of things. And it's alerting you on it. Now hopefully you have a really good, powerful CSPM solution so you're not getting overwhelmed with the amount of alerts because you can get into a situation where you have thousands of alerts and you don't know what to prioritize.
And, you know, to one CSPM, everything will look like it's a higher or critical finding and to another it will look less like a medium and you don't know what to do. So you really need to factor in the ability for it to kind of weed through everything and really show you what you need to be paying attention to.
Host: Okay, so more of a using your environmental context to sort of prioritize from the findings of the CSPM.
So if I am running a startup and I have a small team and I'm deploying my workloads in the cloud, there are many areas, right? Like I am becoming the new perimeter, there is a network, there is data, there are compute, and all the areas.
Should I follow, let's say, the ordering of the CSPM, or should I have my own rubric when it comes to prioritizing things to fix in the cloud?
Joe: Yeah, I would. So I would leverage either a CSPM or at least the NIST framework for the cloud of what you need to be focusing on. Uh, and maybe even factor in like the, uh, the cloud security, you know, posture. What is it? It's the, it's the CCM, the, the cloud, you know, matrix, right? That has all the different controls in there. Um, for every regulatory or compliance requirement that you may need.
And that really outlines what you're going to be focusing on, where you need to be directing your attention. Because if you're a small company in the healthcare field, right, you need to be HIPAA compliant. Well, what are the key areas in HIPAA that relate to AWS? And then let's take it a step further and see what key areas of HIPAA relate to different AWS services, you know, where are these controls? Right.
And so that's where you would really want to start to ensure like, Hey, right from the beginning, we are deploying S3 buckets that are encrypted, you know, right from the start, it's encrypted with a key. That key is stored over here, you know, and it's secured by default. So that's where I would start if I was, you know, in charge of a small company and, you know, starting over, so to speak.
Host: I like how you sort of mapped it to the compliance families and particularly for organizations, they do not have to be compliant to multiple at the same time, right? If you are in healthcare, HIPAA is sort of a must. If you are in FinTech, you have one. So stuff like that. It sort of gives you and these compliance families give you that guideline, right? What is the bare minimum that you have to do? And that often gives you the starting point. So yeah, I really liked how you connected sort of the compliance to sort of your priority list.
Now, one of the things we spoke about earlier is there are challenges when it comes to implementation. Are there any resources that people, that cloud practitioners can refer to so that they can implement cloud security in a better way?
I know that your friend had you for help. What should others do who cannot reach out to you directly?
Joe: Yeah. So, I would look at the NIST frameworks, as well as the cloud security alliance. They provide free resources for best practices. I think they're the ones that actually create the CCM that I just previously mentioned, where they're giving you the best practices for each cloud broken down into the service. And then truly, it's a little bit of Googling I guess, to find where does this configuration need to be made and things like that.
So you can do it on your own. It's just people like myself that are more experienced that'll say like, oh yeah, we don't need to look at any of that. I know where it all is, that sort of thing.
Host: OK, what we'll do is we'll add these, we'll tag some of these best practices when we post the episode as well. So we sort of touched on detection of any misconfiguration or security caps using CSPM tool. We spoke briefly about prevention, like using pipeline, in the pipeline, incorporating security checks. We haven't spoken about remediation,
What would you suggest an organization do? Let's say they have the findings now. They did the prioritization. How should they approach remediation?
Joe: Yeah. So in the cloud, you know, kind of like I said before, it's a little bit different. You have to fix these findings right from where they're occurring, right from, you know, where the developer is creating that S3 bucket from, in order to actually shore up this finding because, you know, let's say you have a thousand findings on Monday and somehow you manage to resolve every single one of them by the end of the day. Right.
Tuesday comes, you now have another thousand and it's the same findings that you had before, just different assets. So how in the world do you keep up with that? You know, really it comes down to using, you know, solutions like AWS config, if you're in AWS, where it's saying, hey, no unencrypted S3 buckets should exist in this environment. If it does, you should block the deployment and then send an alert and give this error message.
And then even going a step further and talking to the developers like, hey, we're putting in these controls into your pipeline with these different solutions, you're not going to be allowed to deploy an EC2 with an unencrypted hard drive anymore. You're not going to be allowed to not have an encryption key attached to something, or you're not going to be allowed to not store your encryption key in KMS, it has to be in KMS. You know, all of these things, you know, matter. And the only way that you'll ever keep up with it is if you cut it off right where it's starting.
Host: Like often what we have noticed is organizations are looking for an edge case or something like that instead of focusing on the basics. So I like how you put it that covering the basics would give you the most value from a security perspective. And then you can slowly get to the edge cases and work on those.
So you have been in the cybersecurity field and cloud security for a while. So one of the things that I'm curious to learn from you is how has the landscape of cloud security evolved in recent years.
Joe: Yeah, so it's, you know, as the scale of the cloud changes every single year, like I mentioned before, there's over 200 AWS services. And I looked up earlier, you know, there's also over 200 Azure services. And so as a security professional, you have to be familiar with all of them. Um, and God forbid your company is in multiple clouds, uh, because when they're in multiple clouds, now you have to know over 400 services and whatnot, right? Cloud security is evolving into a place where, I see it kind of as it was before cybersecurity was cybersecurity, right? You used to have like maybe a network security team and they just did everything in security for the entire organization.
And then eventually it turned into cybersecurity where now you have IAM teams. You have a team that focuses on endpoint security and you have a team that focuses on network security and so on. Right. It's all these different domains. Well, cloud security is getting to the point where you need to have a cloud IAM team and some companies are moving that way where they have an IAM team for on-prem and then they have a cloud IAM team.
And the same thing with infrastructure and networking, because, you know, truly, if you look at the exams, even just for AWS, the certifications, if you have, like two of those professional certifications, like you're, you're a unicorn. Okay. Having one, you're a unicorn, but like having two of them, like you're a double unicorn, you know, like those exams are so insanely difficult and they're so broad, you have to be able to do so many different things.
And then you just take that and you move it into an organization. You know, there's no way a security professional will know everything with network security, which I don't. You know, like I have to actually have a networking guy on the call with me. And we're going through this config and I'm saying, okay, that, that isn't secure. You know, and, but I don't know, I don't know how to configure it myself. You see what I'm saying? So like, I know, okay, TLS needs to exist here. But.
I may not know how to configure all the other stuff around it before we get to the TLS part. And so it's growing to this place that is extremely large and companies are going to have to start focusing on building out a cloud security team like they did with normal on-prem security.
Host: That makes sense. So now looking to the future, are there any emerging trends or technologies that you think are noteworthy, which could become a norm, let's say a few years down the line?
Joe: Yeah, that's a great question. I would say cloud security is definitely growing. I would say AI security is going to be a field within the next five years that you're going to want to be familiar with. Quantum computing is, I think it's closer than what people actually realize, especially when the US government puts out papers that they're trying to figure out ways of communicating to their satellites via crystals and...
You know, things like that for quantum security considerations. Um, those are the two, you know, strongly emerging areas that I would recommend everyone has to get some level of familiarity with and, and the learning curve with that is extremely steep. So we have a little bit of time now, but if you wait five years to actually, you know, start learning the language and start learning the terms, you're going to be very far behind the curve.
Host: So, like one of the terms that you used is AI, right? And particularly, GenAI has been exploding for last one year or so. And when it comes to AI, like GenAI, there are two types of security challenges, right? One is security of the GenAI. Let's say enterprises using any GenAI provider or building something of their own. What should they be keeping in mind? And the other side of it is using GNI for security use cases. How should vendors or even cloud practitioners think about it?
Joe: Yeah, it's an interesting question. When we're thinking of security of the generative AI, there's a lot of different components that go into it. You have a large language model, it's running on code, it's running on infrastructure. Let's assume you get all the infrastructure completely secured, right? You still have to maintain security of that code. You still have to ensure that the code that's running is secure. And then you have to also, you know, even, you have to also explore securing the data pipelines that this AI is receiving its intel from, right?
Because you wouldn't want an AI algorithm that, you know, maybe has a very far-reaching use or capability to, you know, learn from let's just say, you know, some propaganda from, you know, either a prior time in history or even a current time, and then using that influence across everything else that it, you know, is informing on, right? You wouldn't want that. Or at least, you know, 99% of the population in the world would not want that.
And so you have to, you know, secure this in different ways. And I've had on AI experts before, with my podcast that talk about how AI models are turning into hierarchical models where you have one master AI model and then it's informed off of other AI models that are focused in very specific areas and they get really good in their domain or their area and then they're informing this master model of how it should be reacting to different things. It sounds like a lot of… you know, like Terminator style stuff, but you have to, you almost have to use AI to secure AI, which is, you know, it's difficult. It's hard.
Host: Yeah, yeah. No, funny that you highlight Terminator. But yeah, I mean, we are training the models to behave like it's like artificial general intelligence. That's one of the goals with which OpenAI started also. I think recently I read somewhere that there is a…. There is a behavioral aspect coming into OpenAI as well. It was not predicted where there is slower response or the engine is not providing any response. And they're calling it, I guess, winter break or something like that. But yeah, I mean, you're right. There is a lot of advancement happening in the GenAI space.
Hopefully, we can utilize some of it or building some security use cases. And also, at the same time, we make sure to build it in a secure manner as well. So yeah, I'm looking forward to the next couple of years to see what type of advancements happen in that area.
Joe: Yeah, absolutely. It's going to be an interesting time.
Host: So that sort of wraps up our security questions.
Thanks Joe for the Insightful conversation. Here are a few important points I gathered:
- When it comes to Cloud Security, focus on Basic & Common Misconfigurations first. Only after all of those are resolved, pay attention to edge cases.
- For the Prevention of Cloud Security risks, ensure the Pipeline is Secure. The Infrastructure getting deployed into the Cloud environment is secure and does not have any misconfigurations.
- Utilize Cloud Controls Matrix from Cloud Security Alliance as a starting point for Improving Cloud Security.
The next section is around rating security practices.
Rating Security Practices
So the idea is I'll share a security practice and you need to rate it from one to five, one being the worst and five being the best. And then you can add context why you are providing a specific rating. So let me start with the first one. Conduct periodic security audits to identify vulnerabilities, threats, and weaknesses in your security, in your systems and applications.
Joe: I would say that this is probably, I'd go with a four. And the reason being is that, you need to train your organization to eliminate a lot of those different vulnerabilities and issues that it will catch, this audit will catch in the background. And so that's really how you attack this problem. But it is still very important at being a four.
Host: Okay, so speaking of training, the second one is around training itself. So provide training and awareness programs to employees to help them identify and respond to potential security threats.
Joe: I would definitely put this at a five because as we mentioned before, the attackers are getting significantly more evolved and advanced in how they're actually going about attacking and gaining a foothold in the environment. And so the training needs to be augmented. Awareness programs almost don't do it justice to what you need to do.
Um, to really, you know, ensure that your employees are trained at a, at a reasonable level to really, you know, secure your environment. So I would put that, you know, probably at a five.
Host: Okay, next one is use strong passwords, change your passwords frequently and avoid using the same password for multiple accounts.
Joe: Yeah, this would be a five. I mean, this is just typical, you know, IAM good IAM hygiene. You know, it's just a standard practice of IAM, but it's something that absolutely needs to be paid attention to.
Host: Okay, so the next security question, or rather the practice is, development regularly tests an incident response plan to help detect, respond to, and recover from security incidents.
Joe: Yeah, I would, you know, I would have to put this at a three, uh, just because of everything else that we talked about already. Um, but being at a three doesn't mean that you don't get to, or you don't have to pay attention to it.
Um, this is definitely an area that you have to have outlined and you have to remember when people are in a stressful situation, like a company being breached, services being down, losing millions of dollars a minute, they are going to fall back to their lowest level of training. And with an incident response plan, I feel it's always better to have what I call a run book or a playbook that literally has step by step exactly what you need to do to resolve it because...
If you're not well trained, if you're not well versed and companies getting breached, if you're not experienced in that area, you need something to fall back on that will literally just tell you what to do every step of the way. Email this person, click this button, inform these people, start up this bridge. You need those processes and you need to make it very easy because what if you don't have, you're a players there. They're on vacation in a country that's non permissible and you can't, you know, communicate with them. Um, these are all things that you have to be thinking.
Host: Yeah, because when you are in an incident, it's not the best time to experiment, right? Rather, it's best to follow a set of guidelines or like a playbook or a run book. The next one is always lock your computer when you leave your desk, even if it's just for a short time.
Joe: Yeah, yeah, I would say this is probably a five. You know, I actually worked for a company that regularly would go around and check people's desks either during the day or even after the work hour. And I mean, if you left your computer unlocked, like not only are you sending like an embarrassing email to your team or, you know, they're sending an embarrassing email from your account to your team, but you're also getting dinged.
You know, and that stuff is tracked and some companies take it very serious and they actually terminate employees because they, they do it too many times. So it is actually very important.
Host: Make sense. The last one is granting users unrestricted access to systems and applications so that we can move fast and roll out new features quickly.
Joe: Yeah, this is a terrible idea. This would have to be a one, if I could give it a zero, it would be a zero. Being able to move fast, have fewer limitations to roll out different features and things like that is not an excuse for having poor security or not following a least privileged model.
The only thing that is doing, yes, you may make more money in the short term, but I guarantee you, you're going to get breached. And when you do, you are going to be paying a whole lot more in fines than what that quick 30 minute task made you.
Host: Yeah, absolutely. You're spot on. So one last question. If you have to give a reading recommendation to our audience, whether it's a blog or a book or a podcast or anything, what would you recommend?
Joe: Yeah, so I would actually, you know, obviously I'm going to recommend my own podcast, Security Unfiltered. Um, it's available on all platforms, but I would also go with dark net diaries. I really love Dark Net Diaries, how he explains a story, and walks you through it in a way that anyone can understand what's going on. Um, you know, for books, I would start with a zero-day book from Kim Zader, or I'd probably just butcher her last name. So I'm sorry, Kim.
But that book takes you through a very complex situation of Stuxnet and shows how Stuxnet was used to bring down Iran's nuclear program or at least halted for a little bit. And they take you from a very high level to in the weeds feeling like you're right there with these engineers reverse engineering it. And it's really impressive how she does it because anyone can understand that book just by, you know, following along, reading it, paying attention a little. It's a great resource to get anyone started and kind of, you know, prompt that mindset that you need to have insecurity.
Host: Okay, thank you so much, Joe, for joining and sharing your knowledge. I hope our audience will learn something new from the episode as well.
Joe: Awesome. Yeah, absolutely. Thanks for having me. I really do appreciate it.
Host: Absolutely. It was a pleasure to have you on the episode. So yeah, thank you so much for joining. And to our audience also, see you in the next episode. Thank you.
You may want to read;
