Bridging the Cloud Divide: Mike McCabe on Shifting Security Paradigms

This week on Cloud Control, we're diving into the world of cloud security with Mike McCabe, founder of Cloud Security Partners. Mike takes us through his journey in the tech world, from the early days of cloud security to current trends and the future. He discusses the critical role of OWASP's Cloud Native Top Ten in shaping security practices and offers insights on overcoming common misconceptions in cloud security. Keep reading for a deep dive into Mike's expert perspective on evolving security challenges and strategies for success in the cloud era 👇

P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.

Question 1 💭

Mike, you founded Cloud Security Partners in 2017. Can you tell us what you were doing before that and what led to it? Was there a specific gap you were aiming to fill in cloud security at that time?

Answer 1 🎯

Before I started my own company, I worked in consulting and internal security teams. I mostly focused on application security and then cloud security as it emerged as a new field. In all of my roles, I enjoyed working as a part of a team and solving real security problems the most. Security is a constant struggle between what the business needs and what security knows should be done; we have to find a balance. I started Cloud Security Partners to focus on that. As an industry, we focus so much on finding security issues and washing our hands of them. Finding risks is step one; actually working to get them fixed is just as important. We work closely with our clients to remediate their risks. Either through education or hands-on technical help to ensure risks are closed out.

Question 2 💭

Thinking back to when you first started, how have you seen the landscape of cloud security change, especially with the rapid shift everyone's making towards cloud-native technologies?

Answer 2 🎯

Cloud usage started as a more scalable way to provision infrastructure while avoiding fixed costs. We were sold on the idea of never having to buy a server rack again and scaling to zero when we didn’t need resources. Cloud has grown to be much more than just servers in someone else’s data centers. Using cloud services isn’t really about cost savings but how quickly and flexibly we can get workloads running. 

Unique challenges come from being able to scale instantly, and a mindset shift has to happen. The more traditional IT security mindset is that your firewall is your front door, stopping the bad guys from getting in. In the cloud, your front door is every one of the APIs the cloud providers offer to access their services. So, we’ve gone from controlling access with traditional network security controls to using IAM to restrict access. In some ways, this is great because the cloud providers offer very flexible and agile IAM solutions. On the other hand, when companies scale their cloud environments, misconfigured IAM is often one of their first mistakes.

Question 3 💭

You know, OWASP isn't just about the nitty-gritty technical stuff; it really helps mold the security culture in a lot of places. How do you think the Cloud Native Top Ten is changing the way companies think about security and their practices, especially as they're moving into or beefing up their cloud-native game?

Answer 3 🎯

I think the Cloud Native Top Ten is a good start, but it needs to be expanded beyond thinking of traditional application issues just replicated into the cloud. OWASP started as a code security effort; how do we make applications more secure? Now, cloud applications may have zero code (in the traditional sense) but still have huge functionality. The same concerns we had with traditional application security need to be expanded to encompass everything developers and companies should consider in the cloud world. It should also focus more on cloud-native solutions. The Cloud Native Top Ten needs to inform companies about the confluence of application and cloud security threats and how you build defenses against them.

Question 4 💭

From what you've seen, what are the biggest myths companies tend to believe about cloud security? And how do you guys at Cloud Security Partners go about clearing up those misunderstandings?

Answer 4 🎯

I think one of the biggest mistakes we see made is thinking of how you design your cloud environment with traditional network controls vs leaning into cloud-native controls with IAM. A lot of companies may not admit it but they’re on their second or third iteration of their cloud model. They tried lift and shift and found the same issues were present in the cloud as they were on-prem. It’s very hard to utilize the cloud well without leaning into the model and utilizing cloud-native controls and models. This means relying on IAM and non-traditional network controls vs trying to recreate your on-prem environment in the cloud. Then, figure out a model that works for you and scales at the same time. We also have to think about how we prevent issues vs trying to remediate them. We can’t scale our security teams to the size of our cloud infrastructure. So, using things like infrastructure as code and application security-like processes is a very effective way to prevent security issues.

Question 5 💭

You work with both startups and big players, right? I'm curious, what kind of cloud security gaps do you usually find that they tend to miss? And how do you tackle these issues differently in each case?

Answer 5 🎯

Interestingly, we don’t always see a huge difference between the issues that our large or small customers are dealing with. Both struggle to deal with misconfigurations and IAM in the cloud. Small companies have little or no dedicated security people to deal with the issues. Large companies have lots of security folks but are operating at a scale that makes fixing issues much more difficult. Something I say to a lot of folks curious about their cloud security is to look at their CSPM solution today and how many critical alerts are sitting there not being addressed. Small companies don’t always have the internal knowledge to know what to fix and how. Large companies are often overwhelmed by the scale of the issues.

Our approach is to make sure small companies are working towards remediating the biggest risks that will have the largest impacts. For larger companies it’s helping reduce the noise and also focus resources on fixing the big issues but doing it at scale. Prevention is the only cure in the cloud. We can’t test and fix our way to security, so we help large companies build patterns and models to build security in. Again, we focus on how to help companies prevent these issues from occurring vs how to remediate them. We, as security teams,  can never scale to the size of the issue. We have to make the issues manageable at our size.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻

Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc 💪

Latest AWS and Azure Updates You Don’t Want to Miss

1. Sellers can now resell third-party professional services in AWS Marketplace

2. Stream data into Snowflake using Kinesis Data Firehose and Snowflake Snowpipe Streaming (Preview)

3. Amazon ECS and AWS Fargate now integrate with Amazon EBS

4. Azure API management developer portal unveils enhanced features for increased developer productivity

5. Azure application gateway introduces support for TLS and TCP protocols

Top Articles and Resources of the Week

Articles

1. French state services hit by cyberattacks of 'unprecedented intensity'

2. Top US cybersecurity agency hacked and forced to take some systems offline

3. New open source tool hunts for APT activity in the cloud

4. NSA releases top ten best practices for cloud environments

5. CISO’s guides to engaging the board, artificial intelligence, and cyber insurance

Resources

1. Major Cloud Security Events and Conferences

   1. Opt-in to this resource to receive updates on events and conferences in cloud security. Meet like-minded cloud-security professionals from around the globe to learn, exchange ideas, network, and more.

2. Top 50 InfoSec Networking Groups to Join

   1. Join these top 50 associations, LinkedIn groups, and meetups to stay ahead of the curve on all things InfoSec.

3. CIS Benchmarks

   1. The Center for Internet Security (CIS) is a fantastic resource for initiating, implementing, and upholding a robust cloud security strategy. Access their detailed benchmarks tailored for AWS, GCP, Azure, and more. For a deeper understanding, explore the CIS Controls Cloud Companion Guide.

4. SANS Practical Guide to Security in the AWS Cloud

   1. In collaboration with AWS Marketplace, SANS introduces an in-depth guide tailored for AWS enthusiasts. Whether you're a novice or an expert, this extensive resource delves into the intricacies of AWS security.

5. Security Best Practices for Azure Solutions

   1. Learn key security practices tailored for Azure solutions and understand their significance. This comprehensive guide offers insights into developing and deploying a secure Azure environment.