- Cloud Security Newsletter
- Posts
- State of Cloud Security 2024 from real conversations
State of Cloud Security 2024 from real conversations
Learn about the current State of Cloud Security, Challenges and Strategies from Cloud Security Leaders and Practitioners
Hello from the Cloud-verse!
This week’s Cloud Security Newsletter Topic is The State of Cloud Security in 2024 - Edition 1 (continue reading)
Thank you to everyone who spent time with us at Hacker Summer Camp last week, it was such a pleasure meeting all of you and we recorded some really great interviews that we are very much looking forward to bringing to you.
You would have caught all the highlights on our socials from Day 1, 2, 3 & Defcon. If you would like to stay updated on our Cloud Security Conference coverage or latest episodes do consider following us on YouTube, Linkedin or Twitter to stay updated. 🙂
Incase, this is your 1st Cloud Security Newsletter!
Welcome, we are a Weekly newsletter from the team behind Cloud Security Podcast & AI CyberSecurity Podcast deep diving into top of mind topics in emerging technology to make sure collectively we feel confident securing things in this every changing world of Cloud, AI and whatever comes next.
Who else is here reading with you?
Ashish & Shilpi, from the weekly show Cloud Security Podcast, friends and colleagues from companies like Netflix, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb & more who subscribe to this newsletter. If you are reading this - thank you for supporting us and sharing with your friends who like to learn about a new Cloud Security Topic every week.
Cloud Security Topic of the Week
This image was created by Dall-E
The State of Cloud Security in 2024 - Edition 1
We are over halfway through 2024 and as we reflect on our most recent episode with Srinath Kuruvadi, Managing Director, Head of Product Security - Cloud in well known financial institute along with some really valuable insights from our conversations with Fredrick Lee, CISO at Reddit, Adrian Asher, CISO and Cloud Architect at Checkout.com, Rich Mogull, SVP Cloud Security and Chris Farris, Principal Cloud Security Engineer, we are breaking down all things State of Cloud Security from real conversations with real practitioners.
Defining Cloud Security in 2024 🔍
Cloud security has come a long way since the early days of cloud adoption.
"Cloud security as a space has evolved a lot, right? When it started, it barely existed. It used to be more VM security or system security or more securing the sandbox environments. That's how it started. And then it has gotten a lot more mature over at least in the past 15 plus years."
In 2024, cloud security encompasses a wide range of practices and technologies designed to protect data, applications, and infrastructure associated with cloud computing. It includes:
Identity and Access Management (IAM)
Data encryption
Network security
Compliance management
Threat detection and response
Continuous monitoring and auditing
Key Trends Shaping Cloud Security in 2024 📈
1. Shift to Cloud Native Security
Adrian Asher emphasizes the importance of moving beyond "cloud naive" approaches:
"The cloud is more secure, but the cloud is only more secure when you use it so when you're not having to manage infrastructure like patching servers, say an EC2 in Amazon, like if you're doing that, you're wasting your time. You should be using cloud native technologies."
Cloud native security involves:
Leveraging managed services (e.g., AWS Fargate, Lambda)
Implementing infrastructure-as-code for security configurations
Utilizing cloud provider-specific security services and features
Adopting containerization and serverless security practices
2. Focus on Application and Data Security
"We can actually reduce meaningful risk to the business. And that's where a crux of a big part of our cloud security engineering bandwidth goes in, in any organization that we are seeing."
Key aspects include:
Secure API management
Runtime application self-protection (RASP)
Data encryption in transit and at rest and in use
Data loss prevention (DLP) strategies
Continuous vulnerability scanning and patching of OS, Application Code, related libraries and supply chain
3. Threat Modeling and Risk Assessment
Use Threat Modeling that:
Identify common cloud attack patterns
Prioritize security efforts based on real-world threats aka “Exploitable vulnerabilities with higher likelihood“
Develop more effective defence strategies in the application architecture to detect and prevent threats
4. Automation and Policy-as-Code
Automation in cloud security includes:
Automated compliance checks and reporting
Continuous security posture management
Automated incident response and remediation
Policy enforcement through code
5. Privacy and Compliance Integration
Data sovereignty and residency requirements
GDPR, CCPA, and other regional privacy regulations
Industry-specific compliance (e.g., HIPAA, PCI DSS)
Privacy by design principles in cloud architectures
Actionable Insights for Cloud Security Professionals 🚀
1. Embrace Cloud Native Security
"You should be using cloud native technologies, so platform as a service, things like Amazon Fargate, things like Amazon Lambda, so that you can actually focus on what differentiates you in the marketplace at the application layer and not what doesn't differentiate you in the marketplace like patching a server for a Linux vulnerability."
Action items:
Migrate from IaaS to PaaS and serverless where practical to pass the risk of patching, infrastructure to the Cloud provider.
Implement cloud-native security tools and practices in the cloud of choice to benefit from native capabilities to log and ship application and security logs for detection
Train teams on cloud-native security principles to enable creation of shared security libraries to speed up security integration in the cloud by the wider organization.
2. Implement Least Privilege Access
"Each individual Lambda should have its own individual AWS IAM role. Now that role should be the least permissions that individual piece of code needs in order to run."
Implementation steps:
Conduct regular access reviews for Human and Non-Human actors in Cloud
Use just-in-time (JIT) access provisioning to acquire temporary credentials instead of using permanent credentials
Implement strong authentication mechanisms (MFA, SSO)
Utilize IAM roles and temporary credentials for non-Human users
3. Adopt a Threat Model
"When you look at what you get, because you can use a CSPM, you can use an open source, you can use a commercial, whatever you have to have some way of orienting yourself, you can use what's given to you by your cloud providers to start, but you're going to get a sea of findings and it's going to be at the criticality levels they define. So the threat model can help you sort through that mentally."
Steps to implement:
Identify common threat actors targeting your industry
Map out potential attack vectors specific to your cloud environment
Prioritize security controls based on the most likely and impactful threats
Regularly update the threat model as the landscape evolves
4. Integrate Security into DevOps
"The more I can enable my developers to ship code 20, 30, 40, 100 times a day, per individual developer, the happier I will be."
DevSecOps implementation:
Integrate security checks into CI/CD pipelines of Applications
Implement Infrastructure as Code (IaC) security scanning to identify tactical threats e.g stored hard coded secrets or ports open to the internet etc
Conduct regular security training for developers
Foster collaboration between security and development teams
5. Focus on Data Security and Privacy
Data security best practices:
Implement data classification and tagging based on the organization’s Data Security Policy
Use encryption for in transit and at rest and in use
Implement data access logging and monitoring for Cloud Native services and endpoints
Regularly conduct data privacy impact assessments
Define Incident Response scenarios for data related security incidents
Challenges and Solutions 🛠️
1. Complexity of Multi-Cloud Environments
Challenge: Managing security across multiple cloud providers.
Solutions:
Implement cloud-agnostic security policies
Use multi-cloud management and security tools
Develop expertise in the team for each major cloud platform
Implement consistent security baselines across clouds using cloud agnostic libraries e.g Cloud agnostic Infrastructure as Code languages.
2. Keeping Up with Rapid Changes
"There's no compression algorithm for experience."
Solutions:
Foster a culture of continuous learning
Attend cloud security conferences and workshops e.g Cloud Security Bootcamp
Leverage community resources (e.g., AWS Security Blog, Cloud Security Alliance)
Implement automated update and patch management processes
3. Balancing Security and Innovation
"Businesses require risk. If you are not doing something risky at a business, you probably don't have a business that's going to be successful."
Solutions:
Implement a risk-based approach to security problems
Create a security champions program for Cloud within development teams
Use threat modeling sessions with the development teams to identify and mitigate risks early in the development process
Regularly communicate security risks and benefits to business stakeholders
4. Talent Shortage and Skill Gap
Solutions:
The Role of AI in Cloud Security 🤖
AI is increasingly playing a crucial role in cloud security.
"I am hopeful and optimistic that AI is actually gonna allow us to bring more people into security as opposed to less because now we can actually have more people asking interesting questions without the need to actually go back and learn a bunch of foundational things."
"I am actually very excited about one possibility that Gen AI might bring to us is personalizing recommendations based on my risks, my environment, my structure, and then my compensating controls. Given everything, feed that in into a Gen AI system. And that essentially tells me, Hey, here's where your risks exist. Here's what you're missing. Wouldn't that be awesome?"
AI applications in cloud security:
Speed up Anomaly detection and threat identification
Automate incident response for known incidents
Predictive security analytics based on previous learned security incidents
Natural language processing for ease of log analysis based on threat intelligence
This week’s Cloud Security Quiz - All the Best!
Which of the following is NOT typically considered a core component of cloud security in 2024? |
The correct answer was “A technology that encrypts data in use“.
🤖 Are you interested in AI Cybersecurity?
Then you should definitely checkout our sister podcast AI Cybersecurity Podcast that is hosted by Ashish Rajan and Caleb Sima.
👩🏽💻Cloud Security Training from Practitioners!
Want to learn more about Cloud Security or know someone who wants to, we got you !
If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.
Have you joined our FREE Monthly Cloud Security Bootcamp yet. There are paid online and corporate trainings available for those looking to hit their Cloud Security goals this year!
We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.
Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙
Hope you are enjoying this new look Cloud Security Newsletter, there’s plenty more to come.
Peace!
Was this forwarded to you? You can Sign up here, if this was helpful for you.
Want to sponsor the next newsletter edition! Lets make it happen