author photo
By Bruce Sussman
Mon | Dec 28, 2020 | 10:57 AM PST

There is no question, really, that 2020 was the biggest year ever for the cloud. And it is forecast to continue growing in 2021. 

You can make the argument, then, that cloud security is more crucial than it's ever been.

This is why I reached out to Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro, to discuss this topic. During our podcast interview, he revealed what he believes is the #1 threat to cloud security as we look ahead. Listen to the episode:

Cloud platforms excelled at rapid ramp ups

Starting on an optimistic note, Nunnikhoven says he is amazed by how well cloud platforms and companies did with the unprecedented shift the world made during the COVID-19 pandemic: 

"In general, if you're talking about sort of the state of cloud, focusing on the big three providers with AWS, Microsoft Azure, and Google Cloud Platform, which most of the other services we associate as cloud run on, it's been a wild success. That's due to billions and billions of dollars of continuing investment by those three companies.

And I think for the rest of us who aren't at those three—we're not worrying about a whole layer that we did before, that took up a ton of our time and effort, that really didn't gain us any advantage. It was work we had to do to get to the work that we had to do.

This road test was trial by fire, and they're doing it at a world class level. And it's nice that we don't have to worry about it, it's really kind of put that to bed, those concerns of like, oh, it could never meet my demands. Well, yeah, the cloud can and it has."

Organizations realized the promise of the cloud, and it proved to be extremely resilient. But what about cloud security? 

Cloud security vs. on prem security: which is stronger?

Let's look at cloud security from a couple of different angles, because that is how our SecureWorld podcast conversation flowed.

Mark Nunnikhoven and I discussed the big picture debate: can you have better cybersecurity on premise or in the cloud? Here is his take:

"I firmly believe that you can have far better security in the cloud than you could on your own. And the reason for that comes down to that shared responsibility model, which is essentially, you know, if you start at something like a virtual machine, or an instance, you take over the operating system, everything below that, the networking structure, the physical box, the power, the cooling, all that kind of stuff is taken care of by the cloud provider. So you only have to secure the OS and the stack on top of that.

The trade off of this security shift is that your cloud provider is doing more and more. The good news is they've got a great track record of doing this at world class levels."

And he says he has looked into this part of the security equation in great detail.

"If you dig into all of the security incidents around cloud—I have, that's part of my role—almost none of them are actually the cloud provider being breached or having an issue. There are some occasions where an outage or a slow patch application occurred, but those were in the early days of the cloud providers getting up to speed. All of the breaches and issues have been around understanding the shared responsibility model and understanding how you're configuring things."

Ah, yes, problems around configuration. 

"I always have this debate and challenge with my security teammates and colleagues, when they're like, we need to worry about hackers, we need to worry about cybercriminals. And yes, you do. But when it comes to cloud, the number one issue is mistakes and misconfigurations."

Misconfiguration in the cloud: cloud security's top threat

AWS S3 data buckets left unsecured continue to make news around the world, but that's just one example of misconfiguration in the cloud.

This is where Nunnikhoven and I spent a fair amount of time discussing what he sees as the root cause of misconfiguration and what organizations should do to mitigate this type of risk.

"Because developers are leveraging the power of the cloud, you can literally stand up an entire data center with one script, one command, and you've got the equivalent of an entire data center up and running. And that's amazing. That's a wonderful tool for the business.

But think about all those assets that you need to understand and how to secure, how to protect, how to configure properly. That's why we keep seeing these mistakes.

So if you understand that model, if you understand how to configure those services so that they are strong, and you're controlling permissions and access, you can have way better security at the same level of effort or less in the cloud.

Now, if you don't understand what you're doing, you would obviously expose yourself more significantly than you would in an on premise center, because you've got a whole bunch of safeguards that you control. But that normally takes a lot more resources. So I think there's way more upside in the cloud. It's just a question of education, keeping up to speed, and then leveraging things like automated tools to make sure that you're not making the same mistakes over and over again."

And I asked him about something I've heard security leaders say at SecureWorld conferences in the past year.

Let's say you're at a medium-sized organization, you might determine this person is responsible for standing up the cloud environment. And while they might have expertise in one area of the cloud environment, they may not have expertise in understanding the security tools, or even sometimes the security considerations around certain things. And that is what ends up leading to misconfigurations. Does this scenario ring true with him?

"Yes, absolutely. I think the easiest example to understand, and one of the things that just always gets me kind of going, is the storage issue. So we'll use Amazon S3, simply because it's the most popular of these type of services, but basically just a simple storage system in the cloud. And you know, Amazon S3 buckets start life completely locked down. The only person or object that can write into those buckets or read from those buckets is the one that created it.

Every breach you've seen associated with them, and it's been billions of records over the last couple years, has been somebody that has accidentally assigned too permissive of a policy to that storage bucket. That's a simple mistake. And it happens. And it's happened, you know, exposing over billions of records. But that is exactly that scenario you just described, where somebody doesn't quite understand.

Permissions can be tricky, even though they've been greatly simplified in the cloud. So here's something that by default is completely locked down, that somebody has opened up to, you know, more often than not to solve a problem. When you're trying to build something like well, we'll just give it more permissions. And now it works. And we're great, and they never lock them down again. And that's, you know, an educational challenge."

And, more than that, it is an opportunity. 

Cybersecurity teams can help solve security in the cloud issues

Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro, tells the podcast audience that misconfigurations in the cloud are more than an educational issue that needs addressing. 

He also believes they are an opportunity for security teams to serve the business better than they have in the past.

"I think this is also a big cultural challenge. For the longest time, security teams haven't been great at working with other teams.

Part of that comes down to that constant firefighting. Part of it is just, you know, we're very myopically focused on threats. But the reality is, in small business and medium business, even in larger enterprises, you tend to talk to the security team at the kickoff of a project and at the end of it, and that's not good enough.

We need to be educating everybody so they can make better decisions throughout. You know, the smart defaults that the cloud providers have taken is a great start. But again, that shared responsibility model means that if you want to open everything up to the world, you can, but it's up to you to understand the consequences of that."

A tool that can help your team configure security correctly in cloud

I was also intrigued by one of the last things Nunnikhoven and I discussed about miscofingurations. What if you simply do not have the in-house expertise to build cloud environments in a secure way? 

There are tools that exist to help developers and engineers maintain security as they build a cloud environment for your organization. 

"We've got a platform called Trend Micro Cloud One that is targeted at people who are building IoT solutions in the cloud, whether that's in AWS, in Azure, or in Google Cloud Platform. And the idea there is to provide a set of services that will help you fulfill your responsibilities in the shared responsibility model.

A lot of the time that starts with an offering called Conformity. It is simply pointed at your account. And then it'll start popping up with ideas based on security checks, saying, 'Hey, you might want to turn this feature on in AWS, or this feature on an Azure. Here's what that feature will do for you.' I love the product simply because it falls along that educational model of, 'Hey, if you turn to this on, here's the impact. And if you want that, great; if not, here's how you turn that back off.' And it will alert you if anyone happens to turn that back on again.

I like a security control like that, because it's not just going to stop something. It's also going to provide that educational piece in the context of what you are doing. And more importantly, I think it sets customers up for future success in whatever they're building. And that's absolutely critical."

Critical, because our reliance on the cloud is greater than it has ever been. Listen to the complete podcast episode here