Cybersecurity is a key concern, not least with the current situation. With cybercrime accelerating as COVID-19 spreads (as noted by major corporations like IBM), all industries need to consider the ramifications. To gain a sense of what experts in the computing and security sectors think of the current situation and post-COVID-19 world, Digital Journal worked with communications agency 10Fold to poll experts from Balbix, Bitglass, DivvyCloud, Pulse Secure as part of a new series. The focus is on predictions for the cybersecurity industry going forwards.
For the first part, we connected with DivvyCloud by Rapid7’s Chris DeRamus, who is the VP of Technology, Cloud Security Practice.
Remote work is here to stay
According to DeRamus, remote working is the ‘new normal’: “Some organizations preferred coming into the office for work prior to the pandemic because we enjoyed the sense of community. But, the current situation has changed our outlook on remote work, and the same is true for many organizations around the world.”
This means that: “Many companies are quickly realizing their employees are just as productive working from home through cloud apps and services as they are in the office space. In fact, in many cases employees are even more productive because they don’t waste time commuting. As such, we should expect plenty of organizations to transition to more frequent (or even permanent) remote work models once stay-at-home orders have been lifted. Organizations may even reduce or eliminate office spaces to cut back on overhead costs , especially those looking to climb out of economic hardship caused by the pandemic.”
Increase in cloud computing costs
To support remote work, organizations will need to prioritize cloud spend, as DeRamus explains: “Organizations have been spending more on cloud infrastructure to support their remote workforces. Increased demand spurred AWS’ sales to surpass $10 billion this past quarter and Azure is running out of capacity in some regions. As a result, organizations will need to “tighten the operational belt” from a budget perspective and ensure that the proper security and governance controls, virtual desktop infrastructure (VDIs), and other key instances are implemented.”
The age of Slack and Teams
For DivvyCloud, DeRamus notes, as well as plenty of other organizations, real-time communications platforms like Slack and Teams have been invaluable for navigating the work-from-home experience. DeRamus states: We can expect to see a heightened demand for these tools even once this pandemic subsides. Additionally, organizations will need to focus on identity and access management in their cloud infrastructure. This will ensure employees are able to securely access the tools and resources they need to do their jobs while thwarting fraudulent unauthorized attempts from bad actors.”
Choosing between security and innovation in the cloud
This choice will continue to be a common, avoidable pitfall, says DeRamus. He evidences this by noting: “Nearly 50 percent of developers and engineers bypass cloud security and compliance policies and just 58% of organizations have clear guidelines for developers building applications in the public cloud. Developers work hard and fast to deploy new features and services to meet market demands, but without the proper guardrails in place, this can lead to misconfigured cloud instances, severe security flaws, and more.”
By way of example, DeRamus tells us: “In fact, in early April, it became publicly known that Zoom’s engineers bypassed common security features, such as not requiring users to add unique file names before saving their videos. While this allowed Zoom to support its exponential jump in demand (from 10 million daily users in December 2019 to over 200 million in March 2020), it also resulted in errors such as thousands of users’ videos being made publicly accessible on unprotected Amazon buckets. This news added to a string of other privacy concerns around Zoom. DevOps and security must be completely in sync to avoid similar pitfalls.”
Engineers will begin to tackle cloud security flaws earlier in the build pipeline
By this shift in thinking, DeRamus states: “Security and compliance practices have been mainly reactive, with teams scrambling to catch security/compliance flaws after cloud resources are built. But as anyone in that position can attest, there’s no putting the genie back in the lamp. Instead, engineers will need to focus on how “to-be-built” infrastructure or changes will affect the security and compliance of their cloud footprint while they are still in the continuous integration/continuous deployment pipeline.”
DeRamus offers an example of what this means in practice: “Zoom’s CEO pledged to shift the company’s engineering resources to proactively address issues with measures such as a third-party review of changes before they’re made, white box pen tests to further identify and address issues, and upgrading Zoom’s encryption scheme to AES 256-bit GCM encryption. Other organizations will leverage capabilities such as Infrastructure as Code security to build a virtual data model of what would have been built and either affirm or deny the compliance of proposed changes while also warning engineers of potential violations, thus giving them the opportunity to learn from the experience and incorporate learnings into future projects.”
IAM is (and will continue to be) the primary perimeter in cloud security
Central to this security concern, DeRamus outlines why such an approach matters: “All users, apps, services, and systems in the cloud have an identity, and as organizations shifted to remote styles of work, they quickly learned that these relationships are complex. Understanding the full picture of access in the cloud and working toward least privileged access are difficult , but necessary endeavors to ensure security in the cloud. In the last couple months, plenty of enterprise security professionals have realized that cloud identity and access management (IAM) is an area where they are vulnerable because they lack insight into the complex problem.”
DeRamus goes on to explain the significance: “The repercussions of poor IAM governance are substantial and sometimes unpredictable. For example, last year a former AWS employee accessed over 100 million Capital One customers’ records after she bypassed a misconfigured web application firewall, then used privileged escalation to access the data. To protect the identity perimeter at scale, organizations need an automated monitoring and remediation solution for access management, role management, identity authentication and compliance auditing – all of which help enterprise security teams stay ahead in this complex landscape. Even once this pandemic subsides, we will continue to see a great emphasis placed on cloud IAM, especially as organizations continue to encourage remote work.”
