Tigers, elephants, and human error: How to deflate cloud security myths
Anton Chuvakin
Security Advisor, Office of the CISO, Google Cloud
Seth Rosenblatt
Security Editor, Google Cloud
What happens when cloud security dreams collide with cloud security realities
For many executives and board of directors, the cloud is still considered a nebulous place, insecure and lurking with dangers that could damage business and reputations. They feel safe in their on-premise data centers, blanketed with the sense of security that comes from physical control. They seek the comfort of security, instead of focusing on the more fruitful techniques of threat assessment and risk management.
“Security is an emotion,” said Rick Doten, vice president of information security at Centene Corporation and the CISO of Carolina Complete Health on our Cloud Security Podcast. “Technically the definition is freedom from fear or anxiety. And so, we're talking about the difference between your fear of the unknown and the things that are out of your control, which is an emotional reaction. But it's not a risk reaction.”
Doten’s advice for organizations that may be hesitant to embrace the cloud because of fear or anxiety is to focus on the fundamentals: Take the time to understand threat and risk assessment, hire experts who know what they are doing, and rely on a foundation of best practices such as Zero Trust, logging, and identity management.
“There is a path. The path is to focus on the fundamentals. It doesn't take a lot of money. It does take a lot of time,” Doten said. “The thing we need to keep saying is that there is no easy button and you have to work on it and accept that this is hard and anyone who's going to come to you with a magic box and say it's easy is lying.”
Understanding risk, real and perceived
Podcast co-host and security advisor to Google Cloud’s Office of the CISO Anton Chuvakin asked Doten about the type of risks that executives and boards should really be worrying about (tigers), what kind of risks are overblown (paper tigers), and what risks that are standing in the room but nobody is talking about (elephants).
“I would say the tiger that's really getting you is human error,” Doten said. “You're using poor secrets, or having the secrets of those publicly, not having good configuration, not keeping things patched, not having proper controls, having too many privileges. All of these are our faults as humans. They are not the fault of the infrastructure, or the owner of the infrastructure.”
The Cloud Security Alliance published a report in 2022 that outlined the top 11 risks in cloud computing and every one of them involves some form of human error, from insufficient identity, credential, access, and key management, to unsecured third-party resources.
In terms of paper tigers, Doten believes that the notion of multi-tenant clouds where different organizations, who may sometimes be competitors, can share space on the server of a cloud provider, is not as much of a risk as it is often made out to be by boards and executives.
“The paper tigers I think that everyone kind of worries about is this multi-tenancy and the shared responsibility model,” Doten said. “So is it possible [that competitors might see your data]? Yes. Is it likely? It is a lot less likely that that happens than you using a poor credential or you releasing your own credentials.”
The elephant of risk that few people talk about in the cloud world is that we all live in a volatile world where anything can happen. Data centers live in the same world as we do, with fires and floods and hurricanes, cold snaps and heat waves. This risk can be mitigated with a robust global public cloud that has built in redundancy, but a natural disaster in one node of the network can still have cascading effects to the rest of the ecosystem.
There is a path. The path is to focus on the fundamentals. It doesn't take a lot of money. It does take a lot of time.
Rick Doten, VP, information security, Centene Corporation, and CISO, Carolina Complete Health
“The elephants are kind of the fact that there might be infrastructure that goes down,” Doten said. “There's a possibility that because all of your stuff is on somebody else's infrastructure, if something happens to that, then it goes away. That's kind of like the elephant that we don't want to talk about. Because risk is risk, whether it's a tornado or hurricane, an earthquake, or whatever.”
Focus on the fundamentals
Managing risk in the cloud is a difficult job. It requires coordination and logistics and the help of experts who know the landscape and how to respond to threats. As Doten says, it’s a hard job and there is no magic button to make everything safe and secure.
“Number one is asset management,” Doten said. “Know what you have. Because I can't protect what I don't know about. Cover the basics well. All of them [such as] management, data protection, configuration management, identity management. In case this little thing happens or whatever, focus on the fundamentals.”
Doten says to find the right people who understand risk management, instead of people who may want to come in and buy a lot of tools that may not necessarily be the right tools to manage risk in the cloud.
“Most people don't need a tool jockey to come in there and buy a bunch of tools and put them in and configure them,” Doten said. “When what they really need is governance, and they need to be able to link the business to the technology. Understand what the real risks are, and understand what would be a bad day for the company. And then how to infrastructure security architecture to help reduce that ability to have a bad day.”
For more on the realities of cloud security, you can listen to the Cloud Security podcast here.