State of Cloud Security 2024 from real conversations

Learn about the current State of Cloud Security, Challenges and Strategies from Cloud Security Leaders and Practitioners

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic is The State of Cloud Security in 2024 - Edition 1 (continue reading)

Thank you to everyone who spent time with us at Hacker Summer Camp last week, it was such a pleasure meeting all of you and we recorded some really great interviews that we are very much looking forward to bringing to you.

You would have caught all the highlights on our socials from Day 1, 2, 3 & Defcon. If you would like to stay updated on our Cloud Security Conference coverage or latest episodes do consider following us on YouTube, Linkedin or Twitter to stay updated. 🙂 

Incase, this is your 1st Cloud Security Newsletter!
Welcome, we are a Weekly newsletter from the team behind Cloud Security Podcast & AI CyberSecurity Podcast deep diving into top of mind topics in emerging technology to make sure collectively we feel confident securing things in this every changing world of Cloud, AI and whatever comes next.

Who else is here reading with you?
Ashish & Shilpi, from the weekly show Cloud Security Podcast, friends and colleagues from companies like Netflix, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb & more who subscribe to this newsletter. If you are reading this - thank you for supporting us and sharing with your friends who like to learn about a new Cloud Security Topic every week.

Cloud Security Topic of the Week 

This image was created by Dall-E

The State of Cloud Security in 2024 - Edition 1

We are over halfway through 2024 and as we reflect on our most recent episode with Srinath Kuruvadi, Managing Director, Head of Product Security - Cloud in well known financial institute along with some really valuable insights from our conversations with Fredrick Lee, CISO at Reddit, Adrian Asher, CISO and Cloud Architect at Checkout.com, Rich Mogull, SVP Cloud Security and Chris Farris, Principal Cloud Security Engineer, we are breaking down all things State of Cloud Security from real conversations with real practitioners.

Defining Cloud Security in 2024 🔍

Cloud security has come a long way since the early days of cloud adoption.

"Cloud security as a space has evolved a lot, right? When it started, it barely existed. It used to be more VM security or system security or more securing the sandbox environments. That's how it started. And then it has gotten a lot more mature over at least in the past 15 plus years."

Srinath Kuruvadi

In 2024, cloud security encompasses a wide range of practices and technologies designed to protect data, applications, and infrastructure associated with cloud computing. It includes:

  • Identity and Access Management (IAM)

  • Data encryption

  • Network security

  • Compliance management

  • Threat detection and response

  • Continuous monitoring and auditing

1. Shift to Cloud Native Security

Adrian Asher emphasizes the importance of moving beyond "cloud naive" approaches:

"The cloud is more secure, but the cloud is only more secure when you use it so when you're not having to manage infrastructure like patching servers, say an EC2 in Amazon, like if you're doing that, you're wasting your time. You should be using cloud native technologies."

Adrian Asher

Cloud native security involves:

  • Leveraging managed services (e.g., AWS Fargate, Lambda)

  • Implementing infrastructure-as-code for security configurations

  • Utilizing cloud provider-specific security services and features

  • Adopting containerization and serverless security practices

2. Focus on Application and Data Security

"We can actually reduce meaningful risk to the business. And that's where a crux of a big part of our cloud security engineering bandwidth goes in, in any organization that we are seeing."

Srinath Kuruvadi

Key aspects include:

  • Secure API management

  • Runtime application self-protection (RASP)

  • Data encryption in transit and at rest and in use

  • Data loss prevention (DLP) strategies

  • Continuous vulnerability scanning and patching of OS, Application Code, related libraries and supply chain

3. Threat Modeling and Risk Assessment

Use Threat Modeling that:

  • Identify common cloud attack patterns

  • Prioritize security efforts based on real-world threats aka “Exploitable vulnerabilities with higher likelihood“

  • Develop more effective defence strategies in the application architecture to detect and prevent threats

4. Automation and Policy-as-Code

Automation in cloud security includes:

  • Automated compliance checks and reporting

  • Continuous security posture management

  • Automated incident response and remediation

  • Policy enforcement through code

5. Privacy and Compliance Integration

  • Data sovereignty and residency requirements

  • GDPR, CCPA, and other regional privacy regulations

  • Industry-specific compliance (e.g., HIPAA, PCI DSS)

  • Privacy by design principles in cloud architectures

Actionable Insights for Cloud Security Professionals 🚀

1. Embrace Cloud Native Security

"You should be using cloud native technologies, so platform as a service, things like Amazon Fargate, things like Amazon Lambda, so that you can actually focus on what differentiates you in the marketplace at the application layer and not what doesn't differentiate you in the marketplace like patching a server for a Linux vulnerability."

Adrian Asher

Action items:

  • Migrate from IaaS to PaaS and serverless where practical to pass the risk of patching, infrastructure to the Cloud provider.

  • Implement cloud-native security tools and practices in the cloud of choice to benefit from native capabilities to log and ship application and security logs for detection

  • Train teams on cloud-native security principles to enable creation of shared security libraries to speed up security integration in the cloud by the wider organization.

2. Implement Least Privilege Access

"Each individual Lambda should have its own individual AWS IAM role. Now that role should be the least permissions that individual piece of code needs in order to run."

Srinath Kuruvadi

Implementation steps:

  • Conduct regular access reviews for Human and Non-Human actors in Cloud

  • Use just-in-time (JIT) access provisioning to acquire temporary credentials instead of using permanent credentials

  • Implement strong authentication mechanisms (MFA, SSO)

  • Utilize IAM roles and temporary credentials for non-Human users

3. Adopt a Threat Model

"When you look at what you get, because you can use a CSPM, you can use an open source, you can use a commercial, whatever you have to have some way of orienting yourself, you can use what's given to you by your cloud providers to start, but you're going to get a sea of findings and it's going to be at the criticality levels they define. So the threat model can help you sort through that mentally."

Rich Mogull

Steps to implement:

  • Identify common threat actors targeting your industry

  • Map out potential attack vectors specific to your cloud environment

  • Prioritize security controls based on the most likely and impactful threats

  • Regularly update the threat model as the landscape evolves

4. Integrate Security into DevOps

"The more I can enable my developers to ship code 20, 30, 40, 100 times a day, per individual developer, the happier I will be."

Adrian Asher

DevSecOps implementation:

  • Integrate security checks into CI/CD pipelines of Applications

  • Implement Infrastructure as Code (IaC) security scanning to identify tactical threats e.g stored hard coded secrets or ports open to the internet etc

  • Conduct regular security training for developers

  • Foster collaboration between security and development teams

5. Focus on Data Security and Privacy

Data security best practices:

  • Implement data classification and tagging based on the organization’s Data Security Policy

  • Use encryption for in transit and at rest and in use

  • Implement data access logging and monitoring for Cloud Native services and endpoints

  • Regularly conduct data privacy impact assessments

  • Define Incident Response scenarios for data related security incidents

Challenges and Solutions 🛠️

1. Complexity of Multi-Cloud Environments

Challenge: Managing security across multiple cloud providers.

Solutions:

  • Implement cloud-agnostic security policies

  • Use multi-cloud management and security tools

  • Develop expertise in the team for each major cloud platform

  • Implement consistent security baselines across clouds using cloud agnostic libraries e.g Cloud agnostic Infrastructure as Code languages.

2. Keeping Up with Rapid Changes

"There's no compression algorithm for experience."

Chris Farris

Solutions:

  • Foster a culture of continuous learning

  • Attend cloud security conferences and workshops e.g Cloud Security Bootcamp

  • Leverage community resources (e.g., AWS Security Blog, Cloud Security Alliance)

  • Implement automated update and patch management processes

3. Balancing Security and Innovation

"Businesses require risk. If you are not doing something risky at a business, you probably don't have a business that's going to be successful."

Fredrick Lee

Solutions:

  • Implement a risk-based approach to security problems

  • Create a security champions program for Cloud within development teams

  • Use threat modeling sessions with the development teams to identify and mitigate risks early in the development process

  • Regularly communicate security risks and benefits to business stakeholders

4. Talent Shortage and Skill Gap

Solutions:

  • Invest in training and certification programs for existing staff

  • Implement mentorship programs

  • Leverage AI and automation to augment human capabilities

  • Partner with universities and bootcamps to develop talent pipelines

The Role of AI in Cloud Security 🤖

AI is increasingly playing a crucial role in cloud security.

"I am hopeful and optimistic that AI is actually gonna allow us to bring more people into security as opposed to less because now we can actually have more people asking interesting questions without the need to actually go back and learn a bunch of foundational things."

Fredrick Lee

"I am actually very excited about one possibility that Gen AI might bring to us is personalizing recommendations based on my risks, my environment, my structure, and then my compensating controls. Given everything, feed that in into a Gen AI system. And that essentially tells me, Hey, here's where your risks exist. Here's what you're missing. Wouldn't that be awesome?"

Srinath Kuruvadi

AI applications in cloud security:

  • Speed up Anomaly detection and threat identification

  • Automate incident response for known incidents

  • Predictive security analytics based on previous learned security incidents

  • Natural language processing for ease of log analysis based on threat intelligence

This week’s Cloud Security Quiz - All the Best!

The correct answer was “A technology that encrypts data in use“.

🤖 Are you interested in AI Cybersecurity?

Then you should definitely checkout our sister podcast AI Cybersecurity Podcast that is hosted by Ashish Rajan and Caleb Sima.

👩🏽‍💻Cloud Security Training from Practitioners!

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet. There are paid online and corporate trainings available for those looking to hit their Cloud Security goals this year!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Hope you are enjoying this new look Cloud Security Newsletter, there’s plenty more to come.

Peace!

Was this forwarded to you? You can Sign up here, if this was helpful for you.

Want to sponsor the next newsletter edition! Lets make it happen