What Tech Companies Should Look For in Cloud Security

Last updated at Mon, 27 Mar 2023 17:05:43 GMT

The cloud's computing power and flexibility unlocks unprecedented speed and efficiency—a tech company's two best friends. But with that speed and efficiency comes new environments and touchpoints in an organization's footprint. That expanding attack surface brings along with it an expanding range of cloud security concerns.

Rapid7's Peter Scott joined Temporal Technologies's Brandon Sherman and Ancestry's Tony Black for a fireside chat to address today's growing CloudSec challenges.

The key? Building technologies and security policies alongside one another—from the start. That applies to both companies that are moving to the cloud and those that are cloud-first.

Making Cloud Security an Enabler, Not a Blocker

When companies start to move and function in the cloud, SecOps must adapt their thinking and processes to ephemeral environments. That entails getting down in the trenches early on with tech teams as they innovate and create while spinning up new instances.

“We started working with the idea that everything should be ephemeral and short-lived… That really started getting us into that mindset of a true cloud infrastructure and architecture," says Black. “It allowed us to start doing some things like tearing down our dead environments on the weekend if no one is using it. It reduces our attack surface and reduces our cost."

Collaboration between tech and security teams drives secure cloud innovation. However, that level of collaboration requires consistent communication and most importantly, a willingness to build trust.

“If you don't exercise that muscle of being engaged with those teams, then it's going to atrophy," says Sherman. “But if you keep working on it, then you get in earlier and earlier. Even with simple Slack conversations—if I can get involved at that part of it and help shape this whole process as it's built out to help experiment securely… That's awesome."

Consistently collaborating with tech teams not only helps keep security top of mind and integrate cloudsec with DevOps; it also transforms SecOps from a dreaded blocker into a reliable enabler. This level of collaboration requires not only trust but also a mutual understanding that implementing security is a problem-solver, not a problem to be solved.

That gives SecOps the power to help dev teams accelerate into production with fewer bumps in the road—because each new feature is built securely from the start.

Operationalization and Resiliency as Cloud Maturity Increases

Reframing security from a blocker to an enabler is indicative of a larger shift in security's role across the entire enterprise. As companies' cloud footprints grow and their maturity increases, CloudSec teams must ensure that their practices are not only scalable but also sustainable.

That means the security mindset needs to shift towards operationalization and resiliency.

“We want to be as reliable as running water," says Sherman. “That is a really high bar to obtain. So you need really good operational metrics, rigor, and processes. But the nice thing about the cloud is that you can practice all those things."

With the power of the cloud, tech companies have the freedom to rehearse their responses to even the most large-scale, potentially devastating attacks. By taking the time to practice building and breaking down high-risk environments, security teams can operationalize and, most importantly, plan for when—not if—new threats emerge.

To Black, it also comes down to establishing a consistent set of security practices that tech organizations hold to.

“A bunch of practices have to be in place. For example, no one should be able to touch a certain server, because if someone touches a certain server, then all of a sudden I can't rebuild that the way it was before," says Black, “Then, everything has to go through a pipeline. And that pipeline has to have controls … and checks in place to make sure that what we deploy is consistent and repeatable."

Keeping track of that decision-making ripple effect is a major factor in how well security teams can operationalize their best practices for securing cloud-native environments. That dedication to operationalization and resiliency ensures a better experience for devs, sec, and—most importantly—clients.

Clients, the Cloud, and Securing Sensitive Data

Tech companies are (for better or for worse) held to a higher standard by users in terms of reliability, ease of use, and security. Meeting those standards is even more critical when users are trusting tech companies with personal information that might be as sensitive as DNA, as is the case with some of Ancestry's clients.

What helps ensure and improve data protection in the cloud? A company-wide emphasis on customer trust.

“Fundamentally, our management team agrees that customer trust is part of the value proposition," says Black. “We have to earn that trust every day… It really helps when the management team says that customer trust is part of the value proposition, so we have to spend money and take an effort to maintain that customer trust."

Establishing a strong cloudsec foundation helps enable experiences that build customer trust. How can security teams create that base of security that keeps both dev teams and consumers happy? By approaching features as if they were to personally use them.

“Part of that comes down to being your own customer. If you trust your own company with your own data… You feel a lot better about it," says Sherman.

Aligning the Evolution of Cloud Security and Technology

Security teams are no longer the department of “no." With Gartner having predicted a 22% growth in worldwide cloud use by the end of 2022, tech companies should look out for this constant in cloud security: Change.

“The cloud changes beneath our feet. Things constantly evolve. If you're stuck in a mentality of, 'We do this thing, and this thing is security'," says Sherman, “even if that's best practice today, it might not be best practice tomorrow."

Because of that constant change, success in the cloud is rooted in incremental progress. Taking on cloudsec challenges one bit at a time will ensure a smoother cloud journey for organizations looking to unlock the power of working in ephemeral environments.

Want deeper insights on how tech companies can tackle today's cloud security challenges? Watch the full webinar below: