This automatically-generated transcript is taken from the IT Pro Podcast episode ‘What’s next for cloud security?’. We apologise for any errors.
Rory Bathgate
Digital transformation has been at the forefront of so many company strategies in the past few years, and moving to the cloud has been a core element of this. Hybrid cloud in particular has become an all-important offering, but with increased presence in the cloud, businesses have also had to quickly adapt to the risks that cloud environments can present. Today, we’re speaking to Stan Markov, CEO and co-founder of risk remediation and mitigation provider Runecast, about the state of cloud security, and what’s next for the sector. Stan, thanks so much for being on the show.
Stan Markov
Thanks for having me, Rory, great to be here.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Rory
So just to start off with a general question, what are some of the key security challenges currently facing organisations in the cloud?
Stan
There are quite a few. But if I have to pick some, I would say the first thing is that even though Cloud has been out there for few years it is still, in a sense, new for a lot of larger organisations that are just starting to embrace it really on a overall enterprise organisation level, where they realise that they have to integrate it with their processes that they already have like security, compliance vulnerability assessment processes that they already have, for their on-prem environments. And a lot of them, what they’re facing now is a bit of lack of experience, I would say, and maybe some skill shortage when it comes to how to integrate all the cloud security processes into what they already have, and have it as one cohesive thing. And as we know, the rules, that the cloud environments play by are a little bit different than the on-prem. Of course, the underlying hypervisor layer is already managed by the cloud, hyperscaler. But you’re given so many, so much configuration freedom, that you could pretty much expose anything over to the internet. So I think this is still something that a lot of organisations are basically struggling to embrace, and to make sure to have the confidence that they’re compliant and they have certain level of security, using their and consuming their cloud infrastructure. So I think this is really one of the most important challenges that everyone has to solve in some shape and form. And the second one I would say, is that as organisations started to use cloud years ago, but maybe only certain teams within the organisation, they also started to use various different security or operations tools to make sure that they manage their cloud and their cloud security in a proper way. So they’ve created, even within a single organisation very often, a number of silos that use different tools. And now linking back to having to consolidate it all and to have a more unified view on how they’re secure, and manage their whole hybrid cloud. They have to take decisions on basically how to achieve that considering most organisations now have multiple tools, some for one type of clouds, others for another type, and a third silo, which is for on prem. So that’s another challenge that organisations are facing, and a lot of it has to do with security.
Rory
So you wouldn’t say that organisations have necessarily moved to the cloud too quickly through digital transformation, but that some organisations, maybe even if it was a very slow transition, along the way through these silos there has been a lack of a unified response or lack of a unified strategy. And the result of that is a bit of chaos when it comes to security?
Stan
Yeah, I would say so because cloud is so easy to consume. So if a particular department within the organisation has budget, they could just go ahead and start using some services from the cloud. And I think that’s exactly what happened over the years with many organisations, and they think different departments even didn’t know about each other that they’re using, for example, one was using AWS and other Azure another GCP. Maybe they using it in a different way. So only when the organisation takes a decision on an enterprise level — “this is going to be now part of our strategy and we’re going to have a certain amount of infrastructure run out of the cloud” — only then they start to see, okay, what do we already have in the cloud? And yeah, how do we make sure we actually run all of that in a unified way? So yeah, I believe that kind of organically, everybody started really using the cloud, but not really in an organised way, or in a way that really fits their processes for on prem.
Rory
Right. And then, is there — I guess it’s a simple sort of answer — but is there an easy fix to this problem? Or is this more of an involved case by case basis problem that’s going to require a case by case basis solution?
Stan
I think it’s, I mean, the approach should be similar. But of course, everybody’s solving slightly different problem, because everyone’s processes are a bit different. And it should be both, as in our cloud, should we also have a mindset change, not just not just the change of tools, or, or processes. But I think the overall approach should be, first of all, to see what they currently use. So what kind of clouds are being utilised? For what purpose? And then to really set some strategy for the particular organisation? What are we going to run in the cloud? And what are we going to run on prem? Because there are good use cases for both. And I think over the years now, more and more customers are starting to realise the pros and cons of cloud versus on-prem. Because really, both of these have pros and cons. And once the strategy is set up, all of the organisations need to also think about what type of tooling they’re using, how are they making sure they’re automating the security and compliance, also their cost estimation, continuously to make sure that they’re not going over budget when using both cloud and on-prem. So this is really the overall approach and the different steps. And, but of course, it will be for each individual organisation, there will have to have some specific tasks they have to basically accomplish, but the overall path is the same really. Just to discover what they have, think about the strategy, what should be in the cloud and which cloud exactly, and what should be on prem? And, to agree on a common toolset that spans across public clouds and on prem so that they don’t end up with multiple silos of tens of different tools.
Rory
So organisations maybe could look to tools and solutions like SIEM threat detection?
Stan
Yeah, I would say that. I mean, there is — when we talk about security, of course, there’s anything that you can imagine, especially these days, but what I really like and where Runecast actually plays a big role in is the new category that Gartner coined last year, which is CNAPP, or cloud native application protection platform. Because it’s more or less an umbrella term, it’s a set of capabilities, that provides integrated approach to security and compliance all across not just the public clouds, but also on-prem. And within that umbrella, you have capabilities like CSPM, or KSBM, also a cloud workload protection platform. Infrastructure as a code scanning, API scanning, cloud infrastructure entitlement management, so all of these are really important, important capabilities. And it’s important to have them as much as possible within one single platform, so that you don’t have to try to always integrate tens of different tools. And also, ideally, to have all of these capabilities both for clouds and on-prem also in one single place. Because essentially, as an organisation you will have one strategy when it comes to security and also security compliance standards you have to abide to. And that’s why as much as possible, all organisations need to think how to consolidate tools and vendors within either one platform or really smaller number of tools or platforms.
Rory
So when you’re talking about businesses maintaining control across a range of different tools, or maybe a range of different cloud offerings, would you also say that security and observability are crossing over here? And that a lot of security issues are also comprehension or observability issues, when it comes to things like detecting threats in the first place?
Stan
Yeah, I think these two things are very connected, absolutely. And, in fact, there it’s very often also from the perspective of who should be handling the hardening of the environment, and really should have the grasp of what’s happening in the cloud environment, it’s often the cloud team or the let’s say, the operations team, which is ensuring that everything is configured properly in a in a secure way. And also, they have to be involved if troubleshooting something or hunting for some threat. But often, these teams are separate; the security team and the cloud operations team. However, it very often happens, especially for example if we’re talking about security compliance, that the security team is demanding from the operations team that they have to ensure their cloud environment is configured in a certain way, to make sure it’s compliant. So they have to also do the remediation, they have to discover or see what the security compliance posture is all the time. And it is really ideal if both of these teams, or both of these roles, are able to look in the same interface and to see really all the necessary data about potential gaps in the in the security posture. And maybe also privileges that were provided, that shouldn’t be there of certain users, which which happens very often, especially in cloud environments, and even assets that they didn’t know about. So identifying the true attack surface, which in a dynamic and ephemeral environment, like clouds, it’s quite challenging actually, to observe or to see all the time, so. But this is something that these capabilities should be available both for the security and for the operations teams. And in some organisations, these roles are really merging as well. In others, they still keep it quite separate. But one thing is for sure, everybody would benefit from having one interface, that will give them both security information and observability information as well.
Rory
You’d say this is true across a multi-cloud or a hybrid-cloud environment, that the core dashboard or controls would really be beneficial to a team to have that centralised view?
Stan
Yeah, absolutely. Because essentially, you know, whether whether we call it public cloud or private cloud, or there’s always it’s just the flavour of infrastructure, it’s a place where you launch certain services, where your apps are running. Of course, as cloud was something new as it is kind of is with Kubernetes now, it was inevitable that there would be new separate teams that were created, that were taking care of just that new thing. But essentially, as this becomes more of a commodity, and more of something that people perceive as just a flavour of infrastructure, or like a place where your apps are running, you know, these teams should also merge into one. So, especially when it comes to operational security, they should always be looking at their IT as a whole, not just a specific part of it, because they need to be able to protect it from security and availability perspective, in its entirety. And really, most customers out there are having a hybrid cloud setup where they typically have some on-prem plus one primary cloud and one secondary cloud. So in that sense, yeah, whether it’s just purely multi-cloud, without on prem, which is rarely the case, or cloud plus on-prem, this is universal. It’s great to have, it’s an absolute benefit to have one interface for both security and observability.
Rory
And with this in mind, would you say that organisations are really taking this into account, and making this a part of their, say, digital transformation strategy? Or is is there a kind of a worrying trend of businesses putting the cart before the horse, and advancing into these cloud environments without this strategy before they’re ready, and therefore kind of reaping the the real attacks as a result?
Stan
I think what we’ve observed this year is that organisations are becoming more, I mean, they’re becoming definitely smarter about it, especially as they’re embracing their hybrid cloud future from an enterprise architecture perspective, because then they can take more overall enterprise decisions, rather than having individual teams take their own decisions. So if you look at it from a high level, for the whole organisation, then it absolutely makes sense from multiple points of view. One is definitely consolidating the tools, having one interface so that everybody is more informed when it comes to security and observability perspective. Even if you look at it from a cost perspective, and total cost of ownership, it also makes a lot of sense especially in nowadays environment where one of the top priorities for any C-Level is really how to be very cost effective. So consolidating multiple tools into one platform brings also that benefit of reducing the total cost of ownership. And certainly, this works only when these decisions are taken more on a C-Level or VP level, for organisations where cloud is now part of their lives and part of their enterprise strategy, so then they can start to think from a more global perspective “what should I do to run things in a more optimal way, in a more holistic way, and with the reduced total cost of ownership?” And I see as cloud has become more and more important, part of the enterprise strategy of most organisations this year, they certainly start to think in this way, which is really a good sign I think.
Rory
That is good sign. It’s good to, I guess, hear that people are really taking these these worries into account. So we’ve talked a bit about specific concerns. And we’ve talked a bit about maybe what businesses are seeking, what they need in terms of observability. In your own work, you’ve identified the usefulness of AI in detecting and remediating threats in cloud environments. I was wondering if you could expand a little on this about where exactly AI and machine learning fits in to these solutions and and just just expand on that level?
Stan
Yeah, we actually use AI in a very unique way compared to other organisations. The common way how AI is used in observability security platforms is collecting a lot of big data from even single customer, but also multiple customers, and having the algorithms learn what is natural, what is unnatural behaviour, and then pointing out to some deviations from natural behaviour. And then a security operations person or expert needs to then dig deeper, and potentially find out if that’s really a problem or not. And this is really an approach which is, you know, good in some ways, because it can really help you find a problem either from a security or availability perspective. But also it can create a lot of noise because it’s never exact. Some unnatural behaviours might actually turn out to be harmless. The way that we use AI is a bit different. So the whole idea about Runecast is that we realised very early on years ago that there’s a lot of valuable information out there on the internet, in knowledge bases, vulnerability databases, known exploited vulnerability databases, even documentation or blog articles. But all of that data is human readable and unstructured. And it’s typically used reactively. So whenever a security breach happens, or maybe an outage, a service outage, then there’s usually a team of experts that are troubleshooting and looking for the root cause maybe for days or weeks until they find it and remediate it. So back there and then we realised that if we were to find a way how to continuously harness all that human readable, unstructured data and turn it into machine readable rules continuously, we could help customers protect against the latest known issues out there the latest vulnerabilities or security and compliances or other problems that could cause availability or even performance problems. So that’s what we do, even as we speak our internal platform is crawling multiple sources of online data, and detecting whenever there is a new knowledgebase article or a new vulnerability, or new exploit, or a new piece of documentation that’s relevant, that’s documented out there, and then transforming that into a machine readable rule. And we have over 9,000 of them now, and the number keeps growing. And continuously, our customers based on the latest current rules, they can detect any potential threats or misconfigurations, or vulnerabilities in their environment. So, the place where we use AI is in that platform that’s continually crawling these sources of knowledge. We have a number of natural language processing modules, which are detecting the relevant pieces of knowledge and then automatically translating this human readable unstructured knowledge into machine readable rules. So instead of using fossil algorithms to kind of try to detect some unnatural behaviour, which may or may not be harmless, we create continuously these rules that are very deterministic. And if an issue is detected based on one of the rules that we’ve created, then it’s definitely a problem. So it’s definitely a security gap, or maybe another issue that could lead to availability problem. So yeah, overall, we have a quite different and unique way on how we leverage AI as opposed to other other companies out there.
Rory
So do you think there’s a there’s a great deal of potential for AI to be used in non-traditional automation sense? Do you think that AI is currently being used in too similar fashion to more traditional scripting say, and that these kind of, maybe more out of the box solutions for processing and digesting information for security teams has a lot of potential?
Stan
Yeah, I think it definitely has a lot of potential because the way we use the AI really, if you think about it, just online, there’s so much information, and it’s in human readable, unstructured format, and it’s being updated on a daily or hourly basis. And nobody else that I know of is really using AI in the same way that we do. And the way that it’s traditionally being used, I think its accuracy is improving all the time, over time. But still, there is a lot of noise that’s being created by these tools or platforms that are using the AI in such a traditional way, which doesn’t fully solve the problem for security, or security or operations professionals out there. Because I think a lot of them are kind of, to a certain extent tired of having tools that maybe create more work for them, or create more more noise that they have to go through and figure out what is really a problem and what is not. So certainly I think there’s a lot more to our approach. And it really makes a lot of sense. Ideally, I think that the two approaches can coexist, absolutely. It’s just that this traditional approach with AI, certainly, vendors should be careful with it to implement it in such a way that doesn’t create additional noise for customers. Because then it defeats the purpose of why it’s actually there.
Rory
So would you say that currently, AI, maybe machine learning as well, are in more more of a position to perform information gathering tasks rather than maybe action on the kind of threat edge. So, passing huge amounts of information to humans in order for individual security teams to carry out actions as opposed to detecting and automatically quelling threats as they happen.
Stan
Yeah, I think the level of accuracy in in many cases probe is not sufficient for the data to be combined with an action. But there are some, I think, less intrusive actions that can be implemented out there. For example, decreasing the level of access to a network or to certain assets, if some potentially malicious behaviour is detected. Of course, every time customers need to evaluate whether it’s working properly, whether there are not too many false positives, but I think at least reducing or cutting the access for the time being if allegedly malicious behaviour is detected, I think it’s okay. Because if it’s not too drastic, I believe that we have the information coming in with the help of AI. If it’s accurate enough with a certain level of certainty, and the action is not too intrusive, I think it’s okay to use it now.
Rory
Fantastic. There’s clearly a lot of potential there. On a similar level in terms of maybe cutting edge threats, as opposed to cutting edge solutions, there’s been a lot of talk, especially this year around lateral security. I know that it was a big focus at VMware Explore, obviously it’s better known as east-west security in the past. But would you say that currently there is too much focus on endpoint security, and not enough on the kind of lateral threats that organisations are vulnerable to? Or is there a pretty good balance of of knowledge of those kinds of threats among organisations?
Stan
I think this year, especially the lateral security topic, and east-west, has become more popular. So if you were to ask me, maybe in 2021 definitely, endpoint security was the number one. It’s still I would say, the number one in terms of popularity and what organisations focus on. But I do see what would be my experience other other conferences, even RSA, that lateral security is being addressed more and more, I think it’s something that was considered and was pushed by VMware, also even years ago with with the release of NSX, back then, mainly for on-prem environments. But now with NSX-T is used also in cloud environments, and in general, the same principles of protecting yourself on the east-west layer, they of course, have to be applied in any environment, as mentioned earlier, whether it’s on-prem cloud, or private cloud, or public cloud. It’s the same, the same potential tactics or the same potential threats should be prevented, basically. So yeah, I still think that a lot of the focus is on endpoint security or malware, and you know, these traditional things. But I think organisations are starting to get smarter and look things from a different angle as well, also from the east-west angle.
Rory
And has there been an equivalent step-up in lateral attacks from threat actors, are we seeing evolving tactics with the evolving cloud landscape? Or is there a pretty consistent threat landscape right now?
Stan
I would say that, you know, a lot of the attacks are pretty well, the more sophisticated ones certainly are, are using all different methods, and they’ve been using it for for forever. I mean, we are now just starting to talk more about lateral security, but actually, this type of breaches and using really, or penetrating the organisation more from from an east-west way, or at least moving deeper into the organisation in such a way, this has been observed for a long time, in terms of the breaches out there. Especially the more sophisticated ones. but I would say still, a lot of the breaches that are happening are pretty simplistic, I would say, and they come from very basic errors that are done, it’s usually a human error and there is still a lot of the breaches are happening for example, because of some exposed inadvertently exposed resources out there. And that could be, of course, the beginning of the breach and once you get into our organisation then you can move within the organisation in the east-west layer afterwards. But the typical entry points for a lot of these breaches is something very, very simple and very easily avoidable. For example, if you have just a continuous CSPM solution that really makes sure that for example, all of your S3 Buckets are not exposed directly to the internet, that they are encrypted and such simple things, then that would already prevent a big part of the breaches nowadays.
Rory
And that kind of circles back to what you were saying earlier around, a real need to have eyes on, and understanding of, all of your layers, all of your tools, really knowing if anything is exposed, not losing track in that sense. And kind of on that point, and maybe to round off the discussion, I was wondering if you could give some general pointers for other ways, other avenues that IT decision makers can look to secure their cloud environments, heading into 2023.
Stan
I mean, one of the things that may be a couple of things to mention is that I think the clouds infrastructure and title management capabilities and solutions are not as popular as they should be. Because there’s really a lot of, both human and service users, that have privileges that they shouldn’t have. In the various clouds and cloud services that customers are using, really having a solution which can give them continuous auditing and monitoring, making sure that only minimum required privileges are assigned to all the users that need to have access to specific services. This is something that a lot of customers are really not paying enough attention to. And it’s only now the CIEM, or cloud infrastructure, entitlement management solutions are on the rise. And, I think we will see more and more of these in 2023. And they’re really solving I think, quite important problems when it comes to security, because a lot of the breaches that are coming can come from really, accounts that were basically exposed, and they might have access to really too much services. So CIEM capabilities, I think it’s something that everybody should look into in the new year, and how they will solve that ideally within the same platform that they’re already using. But it’s something that I think all organisations need to look into. And the second thing to mention is, and we actually heard it a lot that VMware Explore and other conferences out there, is about sovereign clouds. With the ever changing and difficult geopolitical situation out there and ever growing regulatory compliance standards, it is obvious that a lot of organisations are looking for it. So having some sort of sovereign cloud, or some sovereignty of the data, at least for the sensitive data that they have. So when they’re choosing cloud providers, or if they’re choosing security or operations solutions, they always need to think whether the particular cloud provider or security operations solution can provide that data sovereignty that was going to be required by them by, for example, European authorities or local authorities.
Rory
Well, thank you so much for that insight. And thank you so much for being on the show.
Stan
My pleasure. Thanks for having me.
Rory
As always, You can find links to all of the topics we’ve spoken about today in the show notes and even more on our website at itpro.co.uk. You can also follow us on social media, as well as subscribe to our daily newsletter. Don’t forget to subscribe to the IT Pro Podcast wherever you find podcasts. And if you’re enjoying the show, leave us a rating and a review. We’ll be back next week with more insight from the world of IT but until then, goodbye.
Some parts of this article are sourced from:
www.itpro.co.uk