If you are working in Cloud Security in any area (or Cloud assurance or Governance), the title of this post probably caught your attention. You may have thought to yourself, “ah, clickbait!”. While this is a somewhat attention-grabbing statement, I don’t intend it to be clickbait. Instead, I hope to spark some discussion about why something simple on its face is simultaneously very difficult to get right.
I sometimes have conversations with people who don’t know me well and think I’m nice (or even “too nice”). Depending on the nature of the conversation, I may correct them. I intend to be kind, which appears as niceness but is fundamentally different. People sometimes draw a false equivalence between the attributes of kindness and those of niceness. Someone can be kind but not particularly nice. As I’ve written elsewhere, it can be kind to give someone extremely blunt feedback, but it may not feel nice to the person receiving it. Similarly, something that is simple, or made up of simple components, is not necessarily easy. For example, the idea of climbing a mountain is simple to comprehend but potentially very challenging to execute.
What do I mean when I say Cloud Security is simple? The principles that drive Cloud Security are really straightforward. First, have a good governance structure. Ensure that your identity and access management practices are based on least privilege and maintain that stance. Ensure visibility everywhere in your environment. Put appropriate controls in place to segment your Cloud platform so that a compromise in one area is contained. Deploy technology using patterns and maintain your configurations through constant checking and automation. Detect unusual events quickly and provide actionable information to critical stakeholders promptly. Automate heavily. These are simple concepts, even for non-technologists.
However, the execution of Cloud Security at scale is anything but easy. Let’s take the area of entitlements, for example. Maintaining a consistent view of all of the entitlements held by every human and machine identity at scale is incredibly challenging. While the emerging product field of Cloud Identity and Entitlements Management (CIEM) intends to tackle this challenge, the solutions and market are immature. Microsoft’s recent acquisition of CloudKnox, now rebranded as part of the Entra product family, is a case in point. Entra is an interesting product providing information on Role-Based Access Control (RBAC) entitlements for Azure and other Cloud environments. Still, it does not yet give a view of Azure Active Directory entitlements. The combination of roles and entitlements between Azure AD and Azure RBAC is a critical view to have to identify potentially undesirable (toxic) combinations.
Without appropriately mature tooling, it is practically impossible for any Cloud Operations or Cloud Security Operations team to understand all entitlements held by any single identity or security principal. Given the number of breaches caused or facilitated by overprivileged credentials, this area desperately needs improved capability.
So Cloud Security is not easy, even if it is conceptually simple. An analogy struck me relating to DNA. The four bases that form DNA are relatively simple components. However, combined in an incredibly variable manner, they can create hugely complex organisms, ranging from a blue whale to a human to a fruit fly. Similarly, the variability of the underlying services in a Cloud environment and their combinations make securing Cloud solutions at scale incredibly challenging. Simple components build towards extremely complex “organic” ecosystems. As the line between IaaS and PaaS solutions becomes ever more blurred, the combinations increase in variability and complexity.
In a DNA-driven world, how the bases combine is governed by straightforward principles—Adenine pairs with Thymine, and Cytosine pairs with Guanine. During DNA replication, enzymes check to ensure that the correct bases have been added to the chain. If there are errors, they are removed at the source before the DNA is “written”.
In Cloud Security, we can keep our organisations focussed on the simple principles that will help us manage complexity at scale. From a practical perspective, we can ensure that we build environments using Infrastructure as Code (IaC) which is version controlled. We can wrap IaC templates with Policy as Code pre-deployment checks. We can validate from a post-deployment perspective that what we intended to build is actually running using posture management and workload protection tools. And we can continue to educate our broader organisations that what appears simple is not easy. The lure of the Cloud is powerful, and the concepts of it are simple. However, the reality of how to get there safely is highly complex and requires the appropriate preparation, training and tooling to avoid disaster.