Ian Porteous is the Regional Director for Security Engineering at Check Point Software Technologies. He leads the UKI team of over 40 security engineers supporting customers and partners of all sizes.
With over 20 years’ experience in the industry, Ian has been with Check Point for the past 13 years, through their transition from a firewall vendor to a world-leading provider of cyber security solutions covering enterprise networks, data centre, cloud, mobile and endpoint security.
In this interview, Ian Porteous offers thoughtful perspectives around cloud security. See what he has to say.
Is cloud security any different from what we’ve been doing on-premise for the last couple of decades?
Yes and no. This is going to be a long one, but bear with me…
So let’s have a think about that word “cloud.” It can mean so many different things to different people. Some may immediately jump to Office 365, Salesforce or other SaaS type offerings. To others, it’s synonymous with AWS/Azure/GCP…etc, while other interpretations could be towards private clouds. In reality, it’s all of the above. So whether to you cloud means public/private/multi/hybrid, I like to think about cloud as more of the “how” things are done rather than the specifics of “where.”
The difference is really about the speed and scale at which things are done. When I started in IT over 20 years ago, the operational side of standing up a new web server looked something like this:
- Choose hardware
- Raise purchase order
- Wait for hardware
- Rack and cable
- Install OS
- Patch OS
- Install web server software
- Configure web server software
- Copy content to web server
It wasn’t a fast process, and a lot of it was very manual. Today, in the world of “cloud,” it’s a couple of clicks in a console or a simple “terraform apply.”
If you look at concepts such as “toil” from SRE or AWS’s view on “undifferentiated heavy lifting,” taking a “cloud native” approach to things is about velocity and focus through eliminating work that could be considered unnecessary.
Toil: Toil is the kind of work tied to running a production service that tends to be manual, repetitive, automatable, tactical, devoid of enduring value, and that scales linearly as a service grows.
When it comes to cloud security, the exact same concepts exist as before. So, on a high level, it’s still all about confidentiality, integrity and availability of data. In practice, this means protecting devices, users, applications, workloads and data itself from issues such as software and protocol vulnerabilities, social engineering, supply chain attacks and misconfiguration. The difference comes from the speed at which things can (and need to be) done and the scale that can be achieved.
Whereas in the past, a slower, more manual process may have afforded more time and more opportunities to spot things like a simple misconfiguration, moving at the speed of cloud and leveraging the advantages that presents, means a simple misconfiguration can find its way into a production service in mere seconds.
The words “visibility” and “control” are also used frequently when describing security challenges, and the same rings true in the cloud. However, where it was relatively easy to understand exactly what workloads are in your datacenter and thereby implement the right controls, even the first step of simply understanding what you have in the cloud using only the native tools from the cloud provider can be a lot more difficult than before.
To come back to the question, “Is cloud security any different” – then yes, it’s many of the same challenges, but at a completely different speed and scale.
An effective cloud security program needs to follow the same philosophy, as there is no point in having a highly effective, automated application delivery pipeline if the final stage is a lengthy manual security audit and a human being having to open a ticket to request a firewall rule change to open a specific port.
What are some of the main challenges in cloud security, and how can organizations try to overcome them?
Rather than talk about leaky S3 buckets or misconfigured tools on top of kubernetes clusters, let’s keep this high-level.
I touched on this in the previous answer, but a big one is speed. Things move very very quickly, and if you have to insert complex manual processes anywhere, you’re immediately negating a lot of the benefits of using the cloud. Things need to be automated. It’s not just about automating the security controls themselves, but the actual presence of security needs to be automated as well. This is something that Check Point’s Head of Cloud Product Line, TJ Gonen covers in a great interview here.
Another is simply keeping up to date. It’s an enormous challenge. For example, every week I receive an email from AWS with all the new announcements (I just went and counted – 115 new features & updates so far this month). Now bring in Azure, GCP, Kubernetes – that’s a vast landscape for a security professional to keep up to date with. (By the way, if you want a nice digest and analysis of what’s new in AWS with a healthy side of snark – I can highly recommend Corey Quinn’s newsletter).
These features aren’t just being churned out for the sake of it, and as it’s likely that your developers will often find some new functionality or efficiency that they will want to take advantage of, our role as security professionals is to ensure that they can do that safely. We shouldn’t be here to say “no”, but it’s important to develop a culture where security is embraced and considered at every stage of the lifecycle. It should not be an afterthought, potentially seen as an annoyance or barrier to innovation
This goes both ways. Security teams need to learn a new language and better understand the desires and motivations of those building cloud infrastructure and cloud/development teams need to feel included in security conversations and that security teams are not here to inhibit agility but are on-board with their mission whilst also working to keep the business safe.
Finally, do you have any parting comments or advice?
For many security professionals for whom the world of “cloud” can be quite daunting and even threatening, my advice is to embrace it with open arms. Yes, there is a huge amount to learn, but there are massive advantages to gain and it’s not like it’s going away any time soon.
If you’re like me and enjoy the journey of discovery, find yourself some good quality training (I recommend A Cloud Guru), expose yourself to this world by sitting and talking with your development & cloud teams or there is a vast amount of content online (I suggest watching any of Kelsey Hightowers’ demos as a start).
Once you have a better grasp of how things work in the world of modern cloud applications you will have a better understanding of how the approach to security must adapt to support and leverage all the advantages of this wonderful technology.