By Chris DeRamus, VP of Technology, Cloud Security Practice
Remote work is here to stay:
“Some organizations (including DivvyCloud) preferred coming into the office for work prior to the pandemic because we enjoyed the sense of community. But, the current situation has changed our outlook on remote work, and the same is true for many organizations around the world. Many companies are quickly realizing their employees are just as productive working from home through cloud apps and services as they are in the office space. In fact, in many cases, employees are even more productive because they don’t waste time commuting. As such, we should expect plenty of organizations to transition to more frequent (or even permanent) remote work models once stay-at-home orders have been lifted. Organizations may even reduce or eliminate office spaces to cut back on overhead costs, especially those looking to climb out of economic hardship caused by the pandemic.”
To support remote work, organizations will need to prioritize cloud spend:
“Organizations have been spending more on cloud infrastructure to support their remote workforces. Increased demand spurred AWS’s sales to surpass $10 billion this past quarter and Azure is running out of capacity in some regions. As a result, organizations will need to “tighten the operational belt” from a budget perspective and ensure that the proper security and governance controls, virtual desktop infrastructure (VDIs), and other key instances are implemented.
For DivvyCloud and plenty of other organizations, real-time communications platforms like Slack and Teams have been invaluable for navigating the work-from-home experience, and we can expect to see heightened demand for these tools even once this pandemic subsides. Additionally, organizations will need to focus on identity and access management in their cloud infrastructure. This will ensure employees are able to securely access the tools and resources they need to do their jobs while thwarting fraudulent unauthorized attempts from bad actors.”
Choosing between security and innovation in the cloud will continue to be a common, avoidable pitfall:
“Nearly 50% of developers and engineers bypass cloud security and compliance policies and just 58% of organizations have clear guidelines for developers building applications in the public cloud. Developers work hard and fast to deploy new features and services to meet market demands, but without the proper guardrails in place, this can lead to misconfigured cloud instances, severe security flaws, and more.
In fact, in early April, it became publicly known that Zoom’s engineers bypassed common security features, such as not requiring users to add unique file names before saving their videos. While this allowed Zoom to support its exponential jump in demand (from 10 million daily users in December 2019 to over 200 million in March 2020), it also resulted in errors such as thousands of users’ videos being made publicly accessible on unprotected Amazon buckets. This news added to a string of other privacy concerns around Zoom. DevOps and security must be completely in sync to avoid similar pitfalls.
Engineers will begin to tackle cloud security flaws earlier in the build pipeline:
“Security and compliance practices have been mainly reactive, with teams scrambling to catch security/compliance flaws after cloud resources are built. But as anyone in that position can attest, there’s no putting the genie back in the lamp. Instead, engineers will need to focus on how “to-be-built” infrastructure or changes will affect the security and compliance of their cloud footprint while they are still in the continuous integration/continuous deployment pipeline.
For example, Zoom’s CEO pledged to shift the company’s engineering resources to proactively address issues with measures such as a third-party review of changes before they’re made, white box pen tests to further identify and address issues, and upgrading Zoom’s encryption scheme to AES 256-bit GCM encryption. Other organizations will leverage capabilities such as Infrastructure as Code security to build a virtual data model of what would have been built and either affirm or deny the compliance of proposed changes while also warning engineers of potential violations, thus giving them the opportunity to learn from the experience and incorporate learnings into future projects.”
IAM is (and will continue to be) the primary perimeter in cloud security:
“All users, apps, services, and systems in the cloud have an identity, and as organizations shifted to remote styles of work, they quickly learned that these relationships are complex. Understanding the full picture of access in the cloud and working toward least privileged access are difficult, but necessary endeavors to ensure security in the cloud. In the last couple of months, plenty of enterprise security professionals have realized that cloud identity and access management (IAM) is an area where they are vulnerable because they lack insight into the complex problem.
The repercussions of poor IAM governance are substantial and sometimes unpredictable. For example, last year a former AWS employee accessed over 100 million Capital One customers’ records after she bypassed a misconfigured web application firewall, then used privileged escalation to access the data. To protect the identity perimeter at scale, organizations need an automated monitoring and remediation solution for access management, role management, identity authentication, and compliance auditing – all of which help enterprise security teams stay ahead in this complex landscape. Even once this pandemic subsides, we will continue to see a great emphasis placed on cloud IAM, especially as organizations continue to encourage remote work.”
About the Author
Chris is the VP of Technology, Cloud Security Practice at DivvyCloud by Rapid7. He is a technical pioneer whose passion is finding innovative and elegant new ways to deliver security, compliance, and governance to customers running at scale in hybrid cloud environments. He remains deeply technical, writing code, and diving into the latest technologies and services being deployed by partners like Amazon, Microsoft, Google, VMware, and OpenStack.
Before co-founding DivvyCloud, Chris was the Online Operations Manager at Electronic Arts for the Mythic Studio where he helped design, build and operate large scale cloud infrastructure spanning public and private clouds to run Electronic Art’s largest online games (including Warhammer Online: Wrath of Heroes and Warhammer Online: Age of Reckoning). He started his career as a Network & System Administrator at the U.S. Department of Energy where he was mandated with a broad array of technical responsibilities including security and compliance.
Chris earned his Bachelor of Business Administration in Computer Information Systems from James Madison University.