Building a Strong Framework
Cloud almost always disrupts business as usual. A cloud security architect can see the cracks that can be missed by 3rd-party tools or native and less experienced non-cloud security professionals.
Over nearly a decade in cloud security, I’ve noticed some common missteps among enterprises that deploy cloud infrastructure and services, whether through Amazon Web Service (AWS), Microsoft Azure, or Google Cloud Platform (GCP). Often, they begin to consume cloud services without establishing a solid security foundation during the development and deployment of their cloud infrastructure and workloads. Similarly, cloud administrators may rely on overly permissive identity and access management (IAM) policies. Hiring a cloud security architect is like hiring a contractor to build a house. A professional has the experience and expertise to lay a strong foundation and oversee construction of the framework, so you can have confidence that your build will be secure even if you choose to add on in the future.
The Role of Cloud Security Architects
Cloud security architects bring deep experience from the trenches of designing and implementing secure cloud solutions. They may work with your application teams on one day and your infrastructure team on another. But their most valuable role is taking a broad view of your entire organization, its consumption of cloud, and how corporate and applicable regulatory/compliance security policies are adhered to on a day-to-day basis.
As a cloud security architect myself, I see the role as that of a contractor overseeing the construction or renovation of a house. All too often, the house has already been built on a poor foundation before the security team gets involved. This commonly occurs when a team has been directed to quickly move to the cloud and they take the assumption “the cloud is secure” – clearly, because someone else is managing it. When they start building the house, organizations tend to leverage agile approaches which certainly aligns with cloud adoption BUT thought must be put into the agile methodology pouring the foundation is considered. As well, organizations often don’t understand how existing corporate and compliance security policies apply to the cloud and/or they don’t understand cloud risks well enough to establish a strong foundation to build on. That can affect the entire organization down the road as cloud gains use across the enterprise. But when teams are told to “Go deploy!” they do, and commonly lay a weak foundation.
At that point, there is typically rework needed to ensure a solid foundation. There’s also a good probability that workloads will have to be moved while the rework tasks are being completed.
Involving security early and often during all phases of development can help avoid this scenario. Otherwise, someone has to go back and fix the security foundation or, even more challenging, rooms that are built upon the foundation containing the workloads. If the walls are already up and people are working (and sometimes living) in the building, it’s much more time-consuming and expensive. This is an extremely common occurrence. A good cloud security architecture expert can help by shoring up security, even as your cloud consumption increases.
Cloud Is NOT Just Someone Else’s Datacenter
While traditional architecture shares some aspects of cloud services, such as virtual machines, storage, and networking objects, cloud services create more risk due to their flexibility. Most cloud services allow for data-flow connections to other cloud services, raising the risk of bypassing traditional security control points, even in cases where the data flows can be established to non-approved accounts. Similarly, the profusion of cloud APIs allow cloud consumers to be more granular with their infrastructure and workloads, but it also increases risk. You can compare cloud to a conference center where organizers use its spaces in different ways — perhaps for a tradeshow one week and a gala the next. This type of space provides flexibility, but securing it is more difficult.
This difference between traditional architecture and cloud architecture is critical, and those who believe cloud is “just using someone else’s data center” are likely to make common mistakes that put their security at risk. One mistake is when organizations assign the role to an existing security architect who has spent his or her career supporting traditional data centers and three-tiered applications. Without cloud-specific training, a security architect may not know that cloud uses space differently or that how users move through the space impacts its security.
Another all too common mistake I find is that cloud account roles are sometimes given full access to all APIs within a service — or even worse — everyone is a cloud administrator. Risk analysis should be performed on the cloud service APIs and guardrails should be established to reduce risk for the enterprise.
As I previously said, cloud disrupts business and how we manage our infrastructure and workloads. It takes departments that were once carved up and siloed and fuses them together. Depending on how a company is organized, this can result in discussions about who owns which cloud objects and how certain business processes will function. To facilitate this shift, you need a cloud security architect with eyes across the company who can provide contextual insight into how business and security issues intersect.
How to Rate a Cloud Security Architect
Before I get into how to choose a cloud security architect, I should point out that your organization shouldn’t solely rely on cloud security services that monitor and enforce security policies, whether native or third party. Even though services such as Microsoft Defender for Cloud are designed to monitor and assist in enforcing security policies in the cloud, at a minimum, they don’t understand context and generally speaking look for best practices and recommendations against industry standards and compliance frameworks. They lack the ability to automatically translate corporate policies and security architectural principles (i.e. don’t connect production to non-production workloads or networks). Whether your cloud environment is infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS) — or even a combination of the three — you need the expert eye of a cloud security architect to work alongside the various organizations consuming cloud to ensure a solid security posture. A seasoned cloud security architect leverages their insight into your business allowing them to maintain a high level of visibility across cloud resources, identify and manage risks before vulnerabilities are introduced within your cloud infrastructure and maintain security policies across your enterprise.
When you choose to hire a Cloud Security Architect, never solely rely on someone having a certification as sole proof that they are capable of designing, implementing, and defending your cloud security infrastructure. They may have the technical understanding of how to do the job, but the key way someone gains the skills and expertise needed to build and protect your house is through hands-on, trial-and-error experience. Ask prospective hires about their worst experiences supporting the design and implementation of cloud services. If they insist that every deployment was a success, they probably aren’t prepared for the worst. Hire someone who has war stories; someone who has experienced the good, the bad, and the ugly of securing enterprise cloud environments. Then you’ll feel confident they can defend your infrastructure against threats —no matter what type of unforeseen issues arise.
It’s common for an enterprise to implement cloud environments with sub-par security postures because they are pressured to move fast and lack the knowledge needed to properly secure the cloud. One common challenge with the adoption of cloud is the application of the term agile, which is a more than acceptable approach when, and only when, the architecture and all supporting aspects of the environment have been thought through. People are people, and when they are working agile, they aren’t thinking about the repercussions of every decision they make. Rearchitecting your security after the fact is a huge undertaking and can be costly. Finding workarounds and optimizing your security based on the house you have and not the one you wish you had built requires the help of an expert who can make sure your cloud security infrastructure is strong enough to defend against attacks at all levels.
No matter where your organization is in its migration to the cloud, CyberOne has the expertise to help operationalize and optimize your security environment. Connect with us to get started.
Marc Hall is a senior security architect with CyberOne Security. Marc previously held a variety of roles at Raytheon Technologies over a span of 18 years focusing on architecture, design, and development of information systems within various business units and at Ericsson as a software developer. Over the years he has shaped enterprise cyber and infrastructure cloud strategy, established cybersecurity guardrails for cloud platforms and services leveraging cybersecurity frameworks, designed and developed mission critical defense systems, managed red teaming exercises targeting defense systems, and researched and developed novel solutions to support customer requirements. Marc is based in Dallas, TX and has a B.S. in Computer Science (University of Texas at Dallas) and a M.S. in Security Engineering (Southern Methodist University).