Companies are moving more and more of their operations to the cloud. Though the trickle has been constant for the last decade, at least, we’ve reached a tipping point where major organizations and government departments are publicly announcing wholesale shifts of their infrastructure and applications to the cloud. Businesses know the benefits of moving to the cloud, and even the most hardened cybersecurity practitioner will admit that “there are so many great things a CSP (cloud service provider) may do better than what a traditional IT shop can do,” said Jake Kouns, CISO and COO of security analytics firm, Risk Based Security. However, just because the environment changes, the need for careful planning and security oversight remains.
During Black Hat USA, Kouns explained that organizations don’t necessarily need to reinvent the wheel when it comes to securing services and applications in someone else’s infrastructure. It is necessary, however, to extend lessons learned over the years. “We need the same level of maturity in the cloud [as in an on-premises data center],” he said, pointing to the fact that a data breach or compromise results in the same thing to the affected organization regardless of environment, but added that he has a “love-hate-love” view of the cloud because the systemic risk is higher. “When there’s one vulnerability that can impact dozens or hundreds of clients,” Kouns warned, it would be negligent to ignore “what your neighbors are up to” or assume that all tools and processes can automatically extend to the cloud.
In this short video shot in the Black Hat Business Hall, Kouns shares his thoughts on:
- How to approach securing cloud environments
- When and where zero trust networking factors into a cloud migration
- Why you should “make software and vendors earn their way onto your network”