Frank Kim on Zero-Trust Architecture: Essential for Cloud Security

In an interview with CloudTweaks, Frank Kim, a SANS Fellow and cloud security expert, discusses the critical aspects of safeguarding cloud environments. Frank emphasizes the adoption of zero-trust architectures as essential for protecting high-value data and preventing attackers from moving laterally within network systems. He explains the shared responsibility model, highlighting that cloud service providers (CSPs) manage the cloud’s infrastructure while customers are responsible for securing their data, applications, and access controls. This division is vital for effective asset protection in the cloud.

Overview of Cloud Security Incidents: Given that a significant percentage of companies have experienced cloud security incidents, could you share your perspective on the current state of cloud security and why it’s crucial for organizations to prioritize this in their cybersecurity strategies? 

As we see today, there are a multitude of various cloud cyberattacks we’re witnessing and have been witnessing for years within all industries. But there are ways organizations can safeguard themselves against these types of extortions. Continuous security training and awareness are key to mitigating these types of risks. Although before these trainings are implemented, zero-trust architectures must be adopted first and foremost. This type of architecture safeguards high-value data wherever it resides. It makes it much more difficult for attackers move laterally undetected through network systems. 

Once a zero-trust architecture is up and running, organizations should then pivot their focus to up-leveling their cloud cybersecurity skills and knowledge. Ensuring teams are appropriately trained specifically in cloud security, while keeping up with constant cloud updates consistently, is key for the best protection. Security teams will of course play a crucial role in constant cloud training, but educating developers, IT staff, and engineers is imperative for maximizing efficiency and security.

Understanding the Shared Responsibility Model: Can you explain the concept of “shared responsibility” in cloud security, emphasizing how understanding and implementing this model is essential for organizations to protect their assets in the cloud effectively? 

The concept of “shared responsibility” in cloud security is foundational, emphasizing that both cloud service providers (CSPs) and customers have roles in securing and protecting cloud environments. This model delineates who is responsible for securing what aspects of the cloud infrastructure and operations. CSPs typically manage the security of the cloud, including the physical infrastructure, network, and hardware. In contrast, customers are responsible for security in the cloud, which means they must protect their data, applications, and access controls. Training in understanding and implementing this model is crucial for organizations to safeguard their assets in the cloud effectively.

Role of Cloud Service Providers (CSPs) vs. Customers: In the shared responsibility model, CSPs and customers have distinct roles. Could you detail the specific responsibilities of CSPs, including the security of the cloud’s physical infrastructure, network, and hardware? 

Cloud service providers are generally responsible for the security and integrity of the cloud infrastructure itself. This includes the physical security of data centers, the security of the hardware and software that powers the cloud services, and the networking infrastructure. CSPs also ensure the availability and resilience of their services, employing robust measures against DDoS attacks, hardware failures, and ensuring data integrity. Understanding these distinctions is crucial for organizations to know their security obligations, emphasizing the need for targeted training in each cloud model. Regular audits and compliance certifications are part of their domain, offering customers transparency and assurance regarding the security posture of their services. The division of responsibilities in cloud security for CSPs would include PaaS (Platform as a Service) and SaaS (Software as a Service). For PaaS, the CSP would take on more responsibility by managing the OS middleware and runtime environment. Customers focus more on deploying and managing their applications instead in this case. With SaaS, CSPs oversee the infrastructure, software, and platforms. Customers with SaaS should focus on reasonability’s with managing their user accounts and data security. 

Customers’ Responsibilities in Cloud Security: Conversely, what are the customers’ responsibilities for security in the cloud, particularly regarding protecting their data, applications, and access controls? 

Customers are mostly responsible for managing their user accounts and data security. The responsibilities are mainly with IaaS in cloud security for customers (Infrastructure as a Service). Customers have more control and thus more responsibility. They manage the OS, applications, and network configurations, while the CSP maintains the physical servers, storage, and networking hardware.

Collaboration with CSPs for Enhanced Security: How can organizations ensure they are fulfilling their part of the shared responsibility model, especially in terms of collaborating and communicating with CSPs to understand and implement necessary security measures?

There are several precautions to keep in mind to ensure organizations are fulfilling their part of shared responsibility measures. The first is to conduct regular security assessments and audits to identify and remediate vulnerabilities, implement robust access control to ensure only authorized personnel have access to cloud resources, and making sure data is encrypted in transit and at rest to protect sensitive information. These three safety precautions can often be overlooked, but the first step lies with protecting and identifying security measurements and current evaluation of the organization’s data. Next, organizations should regularly train their employees on the latest cloud security best practices and potential threats. There are a plethora of new threats and vulnerabilities now seen at a sporadic increase compared to years past, which will only continue to evolve into new, advanced, never seen before, threats. Lastly, organizations should collaborate with CSPs. Engaging in transparent communication with providers will help understand specific security measures and responsibilities.

Common Security Risks in Cloud Computing: What are some of the most common security risks or threats associated with cloud computing that organizations should be aware of, including data breaches and insecure interfaces? 

Currently, common security risks in cloud computing include data breaches, insufficient identity, credential and access management, insecure interfaces and APIs, and system vulnerabilities. Misconfigurations and inadequate change control processes can expose systems to attacks. Moreover, shared technology vulnerabilities mean that one tenant’s actions could potentially affect the security of another in a multi-tenant architecture. 

Importance of Continuous Security Training: Given the evolving nature of cloud security threats, how important is continuous security training and awareness for organizations to effectively mitigate these risks? 

Ensuring security teams have cloud-specific security training should be a top priority for CISOs in 2024. There must be investments on the security side to support their substantial investments in cloud, especially since the cloud is where organizations will deliver their business infrastructure over the next five years. Maximizing cloud expertise must be a concrete, planned, and capacity-considered component of their security team – not an afterthought. 

In addition, cloud security must be a fundamental tenet of your user awareness program playbook. Protecting the cloud is like a team sport. It is a company-wide effort that requires consistent buy-in across every level of the enterprise. A cloud-centric awareness training program will empower employees to do their part by following cyber hygiene best practices across access and authentication security, data security, device/endpoint security, and more.

Future of Cloud Security: With your deep expertise in cloud security and leadership curricula at the SANS Institute, how do you see the future of cloud security evolving, and what key trends should leaders be aware of to strengthen their cyber defenses in the cloud? 

CISOs are still grappling with ongoing challenges in achieving balance within their cloud security implementations following COVID-19. Many organizations rushed into cloud adoption during the early stages of the pandemic, implemented a basic version, and are now in the process of cost optimization and security architecture refinement. Since cloud platforms are dynamic and evolving, the constant updates and releases require cyber professionals to stay well-informed on new developments. In turn, successfully navigating the intricacies of cloud security is contingent upon a commitment to continuous training and development.

By Randy Ferguson