The Roadmap
Set Your Cloud Security In Motion
01
Gain Awareness & Deep Cloud Visibility
Start with the basics.
How exactly is your company using the cloud? What kinds of permissions do your users have? What kind of data is stored there? Investigating the fundamentals will build the situational awareness required to lay your cloud security groundwork.
“Most organizations operating in the cloud have no visibility into the type of data that’s stored in their cloud environments,” explains Chiodi.
“They may say they have sensitive data, but they can’t quantify it. They don’t know what type of data it is or who has access to it. That’s important because no matter where a business operates, whether primarily in North America or globally, there are different compliance mandates. You have to fully understand what your data is, where it is, how it’s accessed and how it’s secured in order to protect your company and customers.”
What's Obscuring Leaders' Cloud Awareness?
To address cloud security threats, business leaders must take
proactive steps to increase visibility and secure their cloud environments today. Powered by expert research from Prisma Cloud’s Unit 42
Cloud Threat Report, here are five key strategies to cultivate your company’s cloud security.
Click to Clarify
Weak Identity &
Access Management
In cloud environments, strong identity and access management controls provide crystal-clear insight into who has permissions to a company’s cloud resources and what those users can accomplish with those resources. Many security leaders lack this baseline layer of visibility—leaving the company vulnerable to increasingly sophisticated attacks.
“Many organizations are trying to use the same tools in the cloud that they used in their traditional data centers or on-premises,” says Chiodi. “A lot of those tools are not cloud-friendly and don’t leverage cloud provider application program interfaces (APIs), which are the main pathway for gathering information and getting visibility into a cloud environment.”
Legacy Tools
02
Set Security Guardrails
Guardrails prevent employees like developers and security teams from implementing flawed security settings.
Also termed “security misconfigurations,” these setup errors might include disabled encryption, overly lenient firewall rules, publicly accessible database snapshots and more. With effective security guardrails in place, however, misconfigurations can be flagged and corrected in advance, thwarting potential hackers and diminishing overall risk to your organization.
To shift away from manual, error-riddled configuration, security teams can use infrastructure-as-code (IaC) templates, which build cloud infrastructure through code and can thus automate and scale the rules they put in place. Word of caution: IaC templates aren’t foolproof. In fact, Prisma Cloud recently found that almost half of scanned templates from a major cloud provider contained “potentially vulnerable” configurations. So, these templates must be audited for their own security misconfigurations in order to properly enforce guardrails.
The risk of not setting security guardrails is that you have a misconfiguration in your cloud environment that just sits. Whether that misconfiguration sits for a month or a day, at some point an attacker will discover it and use it against you. You may not even know that you have that misconfiguration until an attacker leverages it.”
Matt Chiodi, Chief Security Officer, Public Cloud, Palo Alto Networks
“If the cybersecurity team can get standards adopted and enforced, it actually allows the business to move much faster in their adoption of cloud,” says Chiodi. With automated security controls being the ultimate goal, he explains, standardization across an organization’s various cloud environments must come first.
A solid starting point for security teams aiming to standardize? “The Center for Internet Security (CIS) has benchmarks for all major cloud platforms,” according to Prisma Cloud’s Unit 42 Cloud Threat Report. “Look to automate and codify these standards by leveraging IaC.”
Adopt And Enforce Standards
03
“Standards are the precursor to automation. It’s the bottom line,” says Chiodi, adding that an enterprise could have dozens, even hundreds, of cloud environments—each one a “snowflake” with its own unique security configuration. “You can’t automate that. If there’s security standardization in the cloud, the businesses can run much faster. Companies with hyperscale in the cloud can have a billion-plus users because they have massive standardization across the entire tech stack, security included.”
Click to Clarify
How Do You Standardize “Snowflakes”?
It’s time to invest in the skills of your security team.
Traditionally, many security practitioners lacked experience in software development, but since the cloud itself is powered by software, bridging that skills gap can drastically boost a company’s proactive response to cloud risk, explains Chiodi.
“Security teams need to have talent that understands how developers work and how development pipelines work. It’s a big gap that most organizations try to solve by buying a security product. That’s part of the solution, but it’s not the only thing. You’ve got to pay attention to the people component.”
Train & Hire Security Engineers Who Code
04
All companies are in the technology business now. And because of that, it’s important that security teams have individuals that know how to code.”
Establish cloud security as “early as possible and as close as possible to the developer,” advises Chiodi.
Accelerate your organization’s ability to automate its cloud security by “shifting your security left”—at the outset—and integrating security into the development and operations (DevOps) of your organization. This step requires early buy-in from your DevOps team, with the ultimate aim of reducing human involvement in your cloud architecture down the line. By moving security to the earliest possible point in the development process, an organization fulfills the principle of shift-left security.
“There’s investigative work that needs to be done in order to understand how software is built and pushed to the cloud,” explains Chiodi. “Once your security team figures out the workflow, how code moves from a developer’s laptop and gets pushed out to the cloud, then you can plan out how to secure the people, processes and technology.”
Embed Security In DevOps
05
Despite increasing threats in the cloud, organizations can take the above steps to deepen visibility and secure their cloud environments. To explore Prisma Cloud’s Unit 42 Cloud Threat Report, including the recommendations mentioned above, click here.
Matt Chiodi, Chief Security Officer, Public Cloud, Palo Alto Networks