What does cloud native security actually look like? [Q&A]
Cybersecurity is a priority for all enterprises. We regularly see news of data breaches across a wide range of industries, and as workforces increasingly move to a hybrid model the issue becomes more acute.
As businesses undergo digital transformation they need to update not only their tools but also their attitude toward keeping systems secure. We spoke to Pravin Kothari, executive vice president, product and strategy at cloud security company Lookout to find out why in a cloud-native world security needs a different approach.
BN: What are the main security challenges businesses face when moving to the cloud?
PK: There are a number of areas that need to be considered in a move to the cloud but the key security challenges come from:
- Losing control over your information and visibility of who is accessing your data.
- Continuous growth of cloud-based tools, technologies and vendors.
- Maintaining regulatory compliance over data protection such as HIPAA, GDPR, PCI, etc.
BN: Why are issues like misconfiguration such a problem?
PK: Many organizations aren't doing enough to protect their sensitive information. They don't realize that internet and cloud services aren't bullet-proof -- some just assume that their information is safe with service providers. But as we often see, a simple misconfiguration, a bug or abuse of API could cause a major data exposure and wreak havoc on an organization and its customers.
Cloud Security becomes a shared responsibility between the organization that’s creating the multi-cloud deployment and the cloud service provider themselves, and this often can leave room for misconfigurations or make it more difficult to ensure that all components in the architecture are secured appropriately. While multi-cloud deployments are very attractive from a design and availability perspective, creating consistent security controls across all of them can be difficult. Your third party security vendors that you’d like to use in your new multi-cloud deployment may not work with all of the cloud service providers, which puts security architects in a challenging position when making sure they have visibility and controls to protect that complete architecture.
BN: How has the shift to hybrid working affected security needs?
PK: Our work and personal lives have intersected, resulting in data going to personal devices and untrusted networks. In turn this causes attack surface expansion -- from perimeter control to now multi-cloud and unmanaged devices and networks.
To address this security teams need to apply consistent policy across SaaS, cloud services and endpoints. They also need to look beyond user authentication to analyze a wide array of contextual data and telemetry data that continuously verifies user actions.
BN: What can organizations do to build a more robust cloud security posture?
PK: In the cloud-first and hybrid workforce environment, you can never anticipate what kind of security incident could arise. Zero trust architecture offers an elegant solution to solving this dilemma by assuming that no entity is trustworthy in the first place. You need to look beyond the user’s ID and credentials to continuously authenticate against contextual data. For example, your endpoint security solution provides context into whether the device is compromised or connected to a risky network so that their access to sensitive applications can be controlled.
Organizations need to be aware of the growing risk with their data in the new world of cloud and hybrid workforce, and always protect their sensitive data such as personally identifiable information (PII) and protected health information (PHI).
Organizations could implement a Secure Service Edge (SSE) for securing access to the web, cloud services and private applications, that can look into the endpoint context to limit the access to sensitive data and can provide embedded digital rights (EDRM) to continuously protect your data wherever it goes.
BN: How can you avoid security impacting on productivity?
PK: With your employees and contractors accessing cloud apps from just about any device from anywhere to stay productive, your conventional security tools cannot provide the visibility and control you need to protect users and sensitive data in the new cloud world with a hybrid workforce.
SSE is again a great example of security architecture that seamlessly checks for zero trust access decisions and automatically protects your sensitive information, however, the key is to select security solutions that can keep the data always protected wherever it goes and that’s natively integrated with endpoint security posture.