New Perspectives on Cloud Security: An Interview with Gururaj Pandurangi

CONGRATS CLOUDNEETI! https://www.geekwire.com/2020/zscaler-acquire-seattle-cloud-security-startup-cloudneeti/

 

The Capital One breach last year was significant on multiple fronts.  A trusted financial services brand on a leading public cloud environment was easily breached, to the tune of 10M records compromised.  I discovered Cloudneeti in January after I heard about their ability to enable DevSecOps operating models.  I asked CEO and cloud veteran Gururaj Pandurangi for his thoughts on the breach:

Q) Last year’s Capital One breach exposed a massive trove of sensitive data.  How could one of the world’s most trusted financial service companies operating on one of the most secure cloud infrastructures get breached to such an extent?

[Gururaj] The Capital One breach was a combination of missteps. The most significant factor was an experienced former AWS employee who knew how to abuse different misconfigurations. There were additionally some minor IaaS issues, and I’ve heard that the provider has promised to fix them.  Part of this is also a cultural issue of using traditional on premises processes for the cloud and generally how tradeoffs between the need for speed and complex security/compliance policies is resolved. It should be noted that every company will face a combination of these conditions and threats in some shape or form. Misconfigurations combined with insider threats are clearly the biggest risk. The lesson from these types of breaches is that enforcement, similarly, needs to evolve.

Q) Why are cloud security and compliance postures so difficult to maintain, given the massive investments IaaS leaders have made in security?

[Gururaj] The cloud is allowing dev teams to accelerate their development cycles beyond anything possible for most traditional on premises environments. Changes can be made faster than ever. New apps, new business units, increasing frequency of releases and new cloud features have all contributed to an increase in the pace of change.  And the policies and frameworks themselves have hundreds if not thousands of configuration requirements. So higher rates of change, the very nature of cloud workloads that are easily exposed to the Internet combined with complex requirements, have substantially increased risk, even for companies investing heavily in best practices. We’ve done scans of many considered to be well-run environments and the compliance scores came out much lower than what was expected by the customer. 

Q) What kinds of tools do cyber criminals use to exploit configuration errors and how commonplace are they?  What levels of skills do they require?

[Gururaj] Today cyber criminals need to become cloud experts. And the increasing pace of change also makes many of their traditional tools obsolete. The cloud providers have made significant investments in OS and network enhancements, which have closed some of the frequently used entry points. The good news is that the evolution of IaaS and PaaS, serverless, databases in the cloud are forcing cyber criminals to evolve, since their old tools aren’t as effective against these new environments.

Even more important is the emergence of new SaaS tools that help protect these more dynamic environments. For example, an entire new class of cloud security posture management (CSPM) solutions has emerged to automate security and compliance assurance.  Some are built for traditional SOC environments to quickly discover misconfigurations and others, like Cloudneeti, for DevSecOps models to prevent misconfigurations from ever happening. Dev and security teams can operate at almost the same fast pace today, without the conflicts and tradeoffs required with traditional manual processes.

Thank you Gururaj!

You can sign up for a 30-day free trial on Azure Marketplace. You can discover in minutes how well your cloud environment scores against more than a 1,500 security polices and 13 compliance frameworks.

Is your company addressing the growing gaps between digitalized, dynamic infrastructures (cloud, SDN, SD-WAN, etc.) and outdated cultures and tools?  Contact me and I may ask your CEO three questions.

Advertisement