In this episode, we talk to Anton Chuvakin, Head of Solutions Strategy, Google & former Research Director, Gartner on:
a) Security challenges when migrating to cloud
b) Practical toolset for CISOs or anyone working with cloud security
c) Transparency & accountability with reg. to cloud breaches
1. People when they're migrating to cloud or organizations when they're migrating to the cloud, they either have the mindset, oh, no cloud is not secure. Or they have the mindset, oh, cloud is secure 100%, by default.
"So Gartner, for example, had a line had like a quote that goes like this, 99% of cloud breaches would be customer's fault. And then there's a longer version of that, and it has a decent fact base behind it. But to me, the reason I'm bringing this up is that this kind of has shed some light on on the paradox you brought up. If you look at cloud infrastructure, how its run, how it's built, it is actually really secure, very secure by many standards against many threats. And so and there are many ways to prove it. So in that sense, if you're checking how cloud is run by cloud providers, you would see, you know, robust world class, best in the world operations. And so if you look at that, you would say, Oh, yeah, it's really secure. It's more secure than many, many, many enterprises is probably more more secure than most enterprises. And then you'd fall into the camp of cloud is secure and forget everything else. However, the other Gartner line goes like this. Cloud is secure but are you using it securely. And this is where the other part of the paradox shows up.
2. Is cloud just about lift and shift?
"It does send you on the wrong thinking path. It just sends you on the path of like, ah it's all the same. And that's how you assume implicitly that you use the same control, same practice, the same approaches, and then you end up missing the change in reality, and then you end up missing different threat models. One of the fun part that came up in a recent Twitter discussion, connected to this was about somebody saying, if you have a server in your data center, you can make an application security mistake. You can make a system security mistake, but as long as you don't make a network security mistake by missconfiguring the firewall, you may still be okay. So in essence, or you can make a network security mistake and then not make an application security mistake, and you're still okay. Some of the stuff in the cloud is just different.