Last updated at Tue, 02 Aug 2022 13:00:00 GMT
This year's AWS re:Inforce conference brought together a wide range of organizations that are shaping the future of the cloud. Last week in Boston, cloud service providers (CSPs), security vendors, and other leading organizations gathered to discuss how we can go about building cloud environments that are both safe and scalable, driving innovation without sacrificing security.
This array of attendees looks a lot like the cloud landscape itself. Multicloud architectures are now the norm, and organizations have begun to search for ways to bring their lengthening lists of vendors together, so they can gain a more cohesive picture of what's going on in their environment. It's a challenge, to be sure — but also an opportunity.
These themes came to the forefront in one of Rapid7's on-demand booth presentations at AWS re:Inforce, "Speeding Up Your Adoption of CSP Innovation." In this talk, Chris DeRamus, VP of Technology - Cloud Security at Rapid7, sat down with Merritt Baer — Principal, Office of the CISO at AWS — and Nick Bialek — Lead Cloud Security Engineer at Northwestern Mutual — to discuss how organizations can create processes and partnerships that help them quickly and securely utilize new services that CSPs roll out. Here's a closer look at what they had to say.
Building a framework
The first step in any security program is drawing a line for what is and isn't acceptable — and for many organizations, compliance frameworks are a key part of setting that baseline. This holds true for cloud environments, especially in highly regulated industries like finance and healthcare. But as Merritt pointed out, what that framework looks like varies based on the organization.
"It depends on the shop in terms of what they embrace and how that works for them," she said. Benchmarks like CIS and NIST can be a helpful starting point in moving toward "continuous compliance," she noted, as you make decisions about your cloud architecture, but the journey doesn't end there.
For example, Nick said he and his team at Northwestern Mutual use popular compliance benchmarks as a foundation, leveraging curated packs within InsightCloudSec to give them fast access to the most common compliance controls. But from there, they use multiple frameworks to craft their own rigorous internal standards, giving them the best of all worlds.
The key is to be able to leverage detective controls that can find noncompliant resources across your environment so you can take automated actions to remediate — and to be able to do all this from a single vantage point. For Nick's team, that is InsightCloudSec, which provides them a "single engine to determine compliance with a single set of security controls, which is very powerful," he said.
Evaluating new services
Consolidating your view of the cloud environment is critical — but when you want to bring on a new service and quickly evaluate it for risk, Merritt and Nick agreed on the importance of embracing collaboration and multiplicity. When it's working well, a multicloud approach can allow this evaluation process to happen much more quickly and efficiently than a single organization working on their own.
“We see success when customers are embracing this deliberate multi-account architecture," Merritt said of her experience working with AWS users.
At Northwest Mutual, Nick and his team use a group evaluation approach when onboarding a new cloud service. They'll start the process with the provider, such as AWS, then ask Rapid7 to evaluate the service for risks. Finally, the Northwest Mutual team will do an assessment that pays close attention to the factors that matter most to them, like disaster recovery and identity and access management.
This model helps Nick and his team realize the benefits of the cloud. They want to be able to consume new services quickly so they can innovate at scale, but their team alone can't keep up the work needed to fully vet each new resource for risks. They need a partner that can help them keep pace with the speed and elasticity of the cloud.
“You need someone who can move fast with you," Nick said.
Automating at scale
Another key component of operating quickly and at scale is automation. "Reducing toil and manual work," as Nick put it, is essential in the context of fast-moving and complex cloud environments.
“The only way to do anything at scale is to leverage automation," Merritt insisted. Shifting security left means weaving it into all decisions about IT architecture and application development — and that means innovation and security are no longer separate ideas, but simultaneous parts of the same process. When security needs to keep pace with development, being able to detect configuration drift and remediate it with automated actions can be the difference between success and stalling out.
Plus, who actually likes repetitive, manual tasks anyway?
“You can really put a lot of emphasis on narrowing that gray area of human decision-making down to decisions that are truly novel or high-stakes," Merritt said.
This leveling-up of decision-making is the real opportunity for security in the age of cloud, Merritt believes. Security teams get to be freed from their former role as "the shop of no" and instead work as innovators to creatively solve next-generation problems. Instead of putting up barriers, security in the age of cloud means laying down new roads — and it's collaboration across internal teams and with external vendors that makes this new model possible.
Additional reading:
- Shift Left: Secure Your Innovation Pipeline
- [VIDEO] An Inside Look at AWS re:Inforce 2022 From the Rapid7 Team
- Rapid7 at AWS re:Inforce: 2 Big Announcements
- Cloud Threat Detection: To Agent or Not to Agent?