Why Is Cloud Security So Hard? (Hint: It’s Not)
Securing a new environment without knowing the rules of the road can be hard. Take the time to learn the rules and avoid speedbumps.
Leaders are often confident that their engineers follow security best practices, but here are some security questions to consider.
Engineering and Product Leaders are often confident that their engineers follow security best practices when putting together their cloud environment. They often tell me things like, “we have a team of 80 engineers,” or, “we have a team of experienced engineers that know what they’re doing.” From my perspective, this is great news. I’m glad to see expert engineers working on complex problems. But does this give me the confidence that all the security checks are in place at the organization?
Nope.
For me, it’s always about trust but verify. I’m happy to trust that you have all your ducks in a row, but the proof is in the pudding. Additionally, when a senior leader tells me something like this, I can hardly trust that there aren’t any security improvements to be made. Even advanced AWS shops like CapitalOne that have released countless tools have had their issues.
There are several ways you can look for security improvements, such as asking your team questions. Here are some questions to ask your engineering and security team the next time you want some assurance on cloud security. Remember: trust but verify. Have your engineers ensure the statements they are saying are valid.
There are several questions you can consider, especially considering how permissions and AWS roles are set up.
Here are some examples:
There are several open-source auditing tools that you can use to accelerate this process or obtain a deeper insight into your security.
Here is a tool to look into:
Infrastructure as Code efficiently and consistently deploys infrastructure to the cloud using machine-readable code.
Several questions to consider when examining the security of your IaC code include:
There are several open-source auditing tools that you can use to accelerate this process or obtain a deeper insight into your security.
Here is a tool to look into:
Security operations give you day-to-day visibility into your infrastructure. Mistakes happen, and you want to have a mechanism to detect such mistakes and correct them as soon as possible.
Here are some questions to consider:
There are several platforms to help you throughout this process.
Here are several of them:
Classic, but tried and true. We have seen databases listening on the internet with ports wide open. They say it takes about 80 seconds for a machine to begin being scanned once it’s placed on the internet!
Here are some questions to consider:
Having great data security is essential to protecting data from getting into the hands of unauthorized users.
Here are some questions to consider:
Now, you have a whole bunch of questions to ask your engineering and security team. I hope this guide has been helpful. If your team answered and verified positively to all the questions here, you are awesome and someone should write a book on you!
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service).
Lorem ipsum dolor sit amet, conse. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat.