The
challenges
facing
chief
information
security
officers
(CISOs)
have
evolved
dramatically
in
the
past
decade.
Today, they
must
align
their
security
efforts
—
and
budgets
—
with
the
business
goals
of
their
organization,
which
may
range
from
maintaining
customer
confidence
that
their
data
is
safe
to
protecting
intellectual
property
from
theft.
As
a
key
member
of
the
executive
management
team,
CISOs
often
have
board-level
reporting
responsibilities.
They
must
manage
a
new
and
daunting
level
of
technical
complexity
introduced
by
the
cloud,
where
identities
are
virtually
the
first
and
last
line
of
defense.
And
the
job
doesn’t
end
there.
To
be
successful,
they
must
also
put
substantial
effort
into
building
a
team
with
skills
in
a
variety
of
disciplines,
and
choosing
the
right
defensive
technologies.
The
Technical
Challenge
The
transition
to
remote
or
hybrid
work
models
combined
with
accelerated
cloud
adoption
has
greatly
expanded
the
attack
surface
CISOs
must
protect.
Furthermore,
they
often
have
to
deal
with
more
than
one
cloud.
The
major
providers
—
Amazon
Web
Services,
Azure,
and
Google
Cloud
Platform
—
all
have
slightly
different
structures,
procedures,
requirements,
and
so
on,
all
of
which
further
increase
the
complexity
of
managing
these sprawling architectures.
Data-center-oriented
companies
that
have
transitioned
to
the
cloud
obviously
face
a
new
set
of
security
concerns
that
conventional
firewalls
were
never
designed
to
handle.
Hence,
the
now
commonly
heard
refrain
“Identity
is
the
new
perimeter.”
This
is
certainly
true.
While
firewalls
and
other
network-based
controls
shouldn’t
be
abandoned,
CISOs
need
to
focus
on
identity
issues.
The
following
three-step
process
can
deliver
results
in
this
area
quickly
and
efficiently.
-
Rein
in
excess
privileges.
During
a
migration
to
the
cloud,
global
privileges
are
often
granted
to
everyone
on
the
transition
team.
It’s
best
to
avoid
this,
but
if
it
happens,
privileges
should
be
reviewed
and
limited
after
the
transition.
One
good
way
to
do
this
is
to
monitor
which
resources
are
being
accessed
by
which
individuals.
If
an
individual
isn’t
accessing
a
particular
resource,
the
right
to
do
so
should
be
revoked. -
Correlate
excess
privileges
and
misconfigurations.
Cloud
misconfigurations
are
another
serious
risk.
But
when
a
privileged
identity
has
access
to
a
misconfigured
cloud
resource,
the
results
can
be
disastrous.
Fortunately,
automated
tools
are
now
available
to
help
detect
misconfigurations,
as
well
as
excessive
privileges,
and
remediate
them
to
eliminate
threats. -
Prioritize.
There
is
never
enough
time
or
enough
staff
to
correct
every
misconfiguration,
so
it’s
important
to
focus
on
those
that
are
the
greatest
source
of
security
risk.
For
example,
remediating
identity-based
access
threats
to
cloud
storage
buckets
is
critical
for
preventing
data
breaches.
Monitoring
for
configuration
errors
that
expose
data
through
excessive,
default,
etc.,
permissions
should
be
a
top
priority.
The
Human
Challenge
Securing
cloud
infrastructure
demands
unique
skills,
and
finding
qualified
individuals
to
do
the
work
is
one
of
CISOs’
biggest
challenges.
There
are
three
key
areas
of
competency
that
every
cloud
security
team
should
possess:
-
Architectural
competence.
To
assess
an
organization’s
security
posture
and
create
a
road
map
for
maturing
it
over
time,
security
teams
require
a
reference
model.
The
CSA
framework
is
an
excellent
resource,
and
there
are
several
others
available.
Without
a
clear
understanding
of
architectural
concepts
presented
in
industry
standard
security
frameworks
like
CSA,
it’s
difficult
to
reduce
the
cloud
attack
surface
and
easy
to
overlook
blind
spots. -
Cloud
engineering.
The
security
team
also
needs
to
handle
the
day-to-day
requirements
of
cloud
security,
which
may
include
management,
maintenance,
and
more.
Competent
cloud
engineering
is
essential
for
“keeping
the
lights
on”
in
the
security
sphere. -
Reactive
capabilities.
Globally,
cyberattacks
occur
at
the
rate
of
30,000
per
day.
Every
enterprise
can
expect
incidents
to
occur
on
a
regular
basis,
and
security
teams
need
specialists
who
can
react
quickly
to
limit
—
if
not
prevent
—
serious
consequences.
The
ideal
makeup
of
a
cloud
security
team
spans
network,
cloud,
and
development
specialists
who
can
work
collaboratively.
The
task
of
building
a
team
with
these
capabilities
is
complicated
by
the
fact
that
there
is
a
shortage
of
3.4
million
cybersecurity
workers
at
the
moment.
One
approach
that
works
well
as
a
supplement
to
hiring
is
development
from
within
through
training.
This
may
occur
in-house
or
through
third-party
certification
programs.
Also,
in
choosing
vendors,
organizations
should
favor
those
whose
offerings
include
a
strong
training
component.
If
possible,
CISOs
may
find
ways
to
get
non-security
employees
to
work
on
some
security
tasks.
Once
assembled,
one
of
the
problems
that
any
security
team
will
encounter
is
dealing
with
multi-cloud
architectures,
which
are
becoming
the
norm.
Very
few
individuals
are
familiar
with
the
tools,
nomenclature,
and
security
model
of
all
three
major
cloud
platforms.
For
this
reason,
many
companies
are
turning
to
cloud
native
technologies
that
understand
the
nuances
associated
with
securing
different
cloud
platforms
and
simplify
security
tasks
for
users
that
may
lack
specialized
training
in
AWS,
Azure,
GCP,
etc.
To
sum
up,
the
challenges
facing
today’s
CISOs
are
largely
driven
by
the
cloud,
which
creates
a
greatly
expanded
attack
surface
that
needs
to
be
protected.
Meanwhile,
mastering
the
management
model
and
tools
used
by
each
cloud
platform
requires
security
expertise
that
is
in
extremely
short
supply.
Solutions
are
available
that
provide
the
visibility
and
platform
knowledge
needed
to
help
security
teams
implement
best
practices
for
protecting
their
cloud
infrastructure,
while
helping
them
up-skill
analysts
in
the
process.