June 26, 2020 By BlueAlly
By Courtney Radke, Joe Robertson, and Alain Sanchez
Fortinet CISO Perspectives
The cloud, especially multi-cloud, continues to play an important role in ongoing digital transformation efforts by organizations. It was especially crucial in enabling many organizations to successfully transition most or all of their employees to remote worker status in a very short period of time this year.
One of the key challenges of this increased reliance on cloud resources is establishing and maintaining consistent security, including unified visibility and control, to see and mitigate threats and deal with misconfigurations in a seamless manner. We met digitally with three of Fortinet’s Field CISOs, Courtney Radke, Joe Robertson, and Alain Sanchez, to discuss cloud security challenges they are seeing as they work with organizations around the world.
Q: What is top of mind for CISOs in relation to cloud security in 2020?
Alain - About two years ago, I started to hear fellow CISOs saying they were bringing back on-premises some components that they initially had started to migrate to the cloud as part of their digital transformation journey. Were these voices going to turn into a trend? We had to find out. So Fortinet commissioned a survey by an independent company who polled 350 decision-makers around the world—not necessarily Fortinet customers—and the results were surprising. They showed that 72% of respondents had actually migrated one component back home, ranging from data to applications and processes.
What this interesting figure did not mean, though, was that their cloud journey had stopped. Cloud is still the biggest IT trend we have ever witnessed, and continues to be a bright spot in 2020, according to Gartner. The story is more about a relentless back and forth process, wherein corporations are seeing the cloud as a full-size, no CAPEX laboratory of innovation—a place where they can test and measure the take-off rate of new services, and then repatriate – or not - whatever the performance dictates. However, one essential caveat in this back-and-forth is that the outcome cannot trade security for flexibility. The moment you need to manually reissue, redeploy, and retest one element of your security policy, you lose the benefits of this freedom.
Joe - Another critical issue, that shouldn't come as a surprise to anyone, is that CISOs are currently focused on how to secure their new remote workers who are accessing cloud-based applications from home. This problem has exploded on the scene, overshadowing but not removing the other concerns about cloud. I’ll focus for now on the basic concerns I hear from CISOs that are independent of the current Covid-19 crisis.
- Managing cloud environments and ensuring policies are consistent for workloads, regardless of what cloud or data center they run in.
- Compliance-related issues about protecting data (especially personally identifiable information) as it is moved into or out of a cloud.
- Ensuring the protection of data in SaaS applications. CISOs are dealing with a bewildering combination of cloud providers and SaaS applications, which means they are searching for solutions that give them security visibility into, and control of, multi-cloud environments. They are also looking for ways to provide the compliance reporting that boards of directors—and regulators—are demanding.
Courtney - There are three primary challenges that I have heard most often from CISOs as it relates to cloud security strategy. Covid-19 notwithstanding, CISOs have pretty well understood that gaining agility (and gaining revenue) was top of mind for businesses looking to create or expand their digital footprint to better reach the customer. This meant that they had to be prepared to move quickly when it came to properly assessing risk and implementing a complete cloud security strategy. This takes time and, as we all know, the business always wants to move faster.
CISOs who were methodically planning their cloud security strategies suddenly didn’t have the luxury of time in their “to cloud or not to cloud” deliberations. This is challenge number one – lack of time for planning.
With input, but not necessarily a choice of cloud provider(s), challenge number two is highlighted by the lack of resources and training. With the prevalence towards multi-cloud, security teams needed to become (or hire) experts in multiple different cloud architectures, tools and integrations which can quickly become a complex burden on teams that are already stretched thin.
This segues into challenge three: “Who did I just give my keys to?” To speed up cloud migration and augment strapped security teams, businesses are turning to third-parties for help and guidance, especially due to Covid-19. It is more important than ever to thoroughly vet and regularly evaluate these partnerships to ensure their security standards meet or exceed that of the business. Opening the environment to integrations from multiple third-parties may solve temporary challenges, and may even become part of the long-term business strategy. However, care must be taken to avoid a “can’t see the forest for the trees” moment. Partner agreements and security policies cannot be a snapshot in time; they must evolve along with the company.
Q: What have recent events, with the scaling of remote work and the shifting of the IT landscape, taught us in terms of securing the cloud?
Alain - The magnitude of the remote working wave took even the most foresighted of CISOs by surprise. The fact is, remote working infrastructures and policies were never designed to face the entire planet working from home. But surprise turned into action in a few weeks. With the help of a growing number of prominent CISOs, we drew the principles of a methodology to handle the remote working tsunami whilst ensuring business continuity and data protection.
Joe - It is true that recently, most of the actions of CISOs have been focused on getting remote workers up and running securely. This "all hands on deck" period is calming now, and the realities of the economic situation are starting to be felt. For certain categories of business, the crisis has been positive, but for the majority the consequences range from difficult to disastrous. This is leading to belt tightening everywhere, and the IT and security organizations are not immune.
The hacking community - amateur and professional - has not been weakened by the crisis, however, so cutting back on corporate cybersecurity seems penny wise but pound foolish. Nevertheless, when a company's revenues drop off a cliff, dramatic decisions must be made. This is why many CISOs I talk with are taking a hard look at investing in automation tools.
With so many users now accessing cloud resources from home, outside of the well-protected office connections, visibility into what is happening to workloads in the cloud, who is accessing them, and automated analysis of cloud activity are more important than ever. Resolving alerts can take an analyst anywhere from 20 minutes to several hours, or more. Automation tools can deal with many alerts in seconds, leaving only the most intractable for the SOC analysts.
Tools that provide visibility, such as Fortinet Cloud Workload Protection (FortiCWP), are fundamental to protecting the cloud. And an analysis and automation tool, such as the Fortinet Security Orchestration, Automation and Response offering (FortiSOAR), allows for rapid development of automation scripts, and even has hundreds of built-in playbooks that can evaluate and respond rapidly to anomalous situations.
Courtney - Recent events have truly been “ready or not, here we come” when it comes to dealing with the sheer scale of users accessing digital workloads and storefronts. For many companies, this was one of the only ways to interact with their customers, so business sustainability hinged on availability and increasing the appeal of their offerings to pull more traffic from someone else. This need to attract customers in a time of great need may have relaxed the rules a bit when it came to security in order to decrease friction of transactions.
Likewise, consumer buying patterns changed so baselines around peak (normal) shopping hours or app logins may have looked dramatically different than 90 days prior. This parallel to what was seen in the rapid scale-up of remote workers and the need to ensure critical systems and information was accessible securely and without performance issues. If users could not get to what they needed, and quickly, through approved methods such as VPN, then they would start finding their own ways to get what they needed. Similarly, with the cloud: if it wasn’t the best way, the most appealing option, then users would find another option. This meant that policies around access hours, duration, session counts, etc. all needed to be evaluated and updated. Additionally, zero-trust networking coupled with adaptive authentication technologies allowed users to get to what they needed while keeping the growing number of threat actors out.
Q: When talking with CISOs, what is one thing that comes up the most in terms of securing the cloud—in almost every conversation?
Alain - The comment I hear most is a fear of the one-way ticket syndrome. “The moment I start to cash in all the benefits of my all-cloud strategy, cost, flexibility, real-time statistics, will I be able to keep full control of my strategy?”
I remind these colleagues that Fortinet’s role is not to influence one way or another their cloud strategy. We are a pure-play security player and our mission is to serve whatever cloud scenario our customers adopt: native, cloud, hybrid cloud, or any combination of the above. The objective is to ensure consistent and reliable security, including visibility and control, regardless of the cloud strategy they adopt.
Joe - I have found that no matter what cloud environments customers have, at some point we always talk about agile software development and DevOps, which can be challenging for the security team—especially since many applications run in one or multiple clouds. Everyone is trying to get developers to involve security early in the development process, some with more success than others.
This so-called "shift left" activity involves having security experts participate with the development team near the beginning of the cycle (the expression refers to moving cyber security activities further left on the project plan chart). As you can imagine, with so much development now using open source code, public libraries, APIs to other applications, etc., securing a modern application is a major concern. Just getting visibility into what is happening with the various workloads is a challenge.
Courtney - I recently spoke to a colleague who had undergone a full cloud audit, and the results were eye-opening to say the least. They found that over 30% of the cloud workloads tied to the company were either severely underutilized, grossly misconfigured, or—and this is the scariest part—previously unknown. Their mind immediately went to “can you imagine the cost savings if we right-sized these environments?” While a completely valid point, and one most likely on the mind of businesses today, my mind went to “do you have any idea how positive an impact cleaning this up will have on your security posture?”
This is called “cloud sprawl” and it is becoming more and more common as cloud computing becomes ubiquitous—similar to the virtual compute and traditional server architectures before it. Anyone can spin up new cloud resources that allow for fast and flexible business operations, but they also open the door for threat actors.
Don't miss out on our sales events and all our big promotions, subscribe to our email and enjoy exclusive weekly deals from Virtual Graffiti!