Last Updated on January 15, 2024
As organizations of all sizes migrate applications and workloads to the cloud, they often introduce new and unobserved security vulnerabilities. Further, they may fail to get a firm operational grip on their cloud security posture for compliance purposes.
Why are so many orgs leaving themselves open to significant cloud security risk?
To discuss security best practices in the Amazon cloud, including the root causes of common problems, Temi Adebambo, Head of Security Solutions Architecture at Amazon Web Services (AWS), joined a recent episode of The Virtual CISO Podcast. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
A multifaceted challenge
Do SMBs stumble on security in the public cloud just because they’re focused on compressing the application’s time to value and don’t want security in their way? Temi observes that the issue is more complex than just competing priorities.
“The challenge in that area is actually multifaceted,” asserts Temi. “The business focus on moving to the cloud is trying to take advantage of all the benefits that the cloud can offer. And developing the application with that focus and the security not coming along with it. We see that quite a lot, where the SDLC process is not really involved in security until the tail end, where they want to get some approval or they want to make sure it hit some IT policies that have been set for security.”
Temi continues: “That’s not really the way to build applications—whether in the cloud or not. But in the cloud especially, that’s not a good way to build applications. It leads to challenges in the end because then the business wants to go live and the security seems like a blocker.”
The answer is to shift security left, all the way to the design stage, so that security is baked into testing, moving from one gate to the next, etc. That way at the end you’re not forced to choose between security and application functionality. That almost always leads to security becoming technical debt.
“What doesn’t happen ever in that position is that security gets taken care of with the same level of rigor that it should be,” adds Temi. “As the application continues to evolve and get updated, if that process is not well built, it will continue to have [security] issues up to a point where something probably makes it into production that should have been caught early.”
Lack of security resources
Besides making security an afterthought in the SDLC, another major cause of poor cloud application security is a lack of security resources or a lack of security priorities, especially at an oversight level.
“If you have a project with just a bunch of developers trying to do their best, and you don’t have a security stakeholder in there, you don’t have a security champion in there, everyone’s going to do their best with best intentions,” states Temi. “But if no one is really focused on security, it will make it an afterthought. In that case, it’s not that they don’t plan on having it secure. They just all sign up and say, ‘Yeah, I’ll make my code secure.’ But there’s really no one who is making sure that at the end of the day they’re taking that security responsibility on themselves.”
It’s great when security is decentralized and everybody has some security responsibility. But if you don’t have a champion to guide the process and ensure that security is checked at every gate, you’re unlikely to get there.
What’s next?
To enjoy this podcast episode with AWS security leader Temi Adebambo in its entirety, click here.
What are forward-looking CSPs doing to simplify cloud security for their customers? This podcast shares some trends: EP#73 – Mark Richman – Why Cloud Is More Secure Than Your Average On-Prem Solution