As more organizations move to the cloud, security professionals are coming to a number of hard realizations, and quickly. First, saying “no” to the cloud is NOT happening. What IS happening is moving to the cloud, so get over it. Second, cloud providers are secretive, scheming Illuminati types that hide things from us. OK, I made up that second one, but it sometimes feels this way based on the paucity of control information they provide to us (for the record, a SOC2 report is NOT enough to satisfy most of us, cloud provider people). Third, when we try to map our existing control frameworks, compliance and security policies, and in-house tools to our cloud deployments, we often find…deficiencies. OK, OK. “Deficiencies” IS a bit of a generous term, I agree. In some cases, we find flat out incompatibilities, failures, or quizzical looks that chafe, and chafe deeply.
This is a huge problem, make no bones about it. If we can’t take our controls with us, and if the cloud providers or other leading vendors don’t provide equivalent controls, where does that leave us? For a few years now, I’ve authored a SANS study on cloud security that asks some pretty obvious questions, such as “Have you had incidents in the cloud?” and “What are the major security issues leading to incidents and breaches in the cloud?”
Last month I hosted a webinar that discusses some of the biggest challenges are when adapting in-house controls to the cloud, and where we’ve seen security teams and we’ll also highlight some new tools and capabilities that are changing the game. View On-Demand Webinar
This year, across the board, most respondents indicated that their top fears were related to unauthorized access to cloud resources, both from outsiders and other tenants in the cloud provider environments they operated within. Vulnerabilities within the cloud environment and poor configurations of cloud assets were also major concerns for many. Get the full results.
In the past, we’ve lacked sound network security, logging, account management and control (including privileged user management), vulnerability management and monitoring, and more in the cloud…so where do we stand today?
Fortunately, the news is getting better all the time. As cloud services start to reach critical mass, cloud providers are adding more and more services and security capabilities all the time. More importantly, well-known vendors that we’ve come to rely on for our data center security have adapted their products to more readily function within cloud environments. We’ve seen a huge shift in the security vendor landscape to accommodate and integrate cloud provider APIs, create virtual machine images that are available as appliances within the providers’ marketplaces, and provide easy-to-use controls that can be automated and scale with highly dynamic cloud deployments.
Whew! It was dicey for a minute there, and we’re not out of the woods yet. Security and risk teams need to double down on evaluating solutions that are proven to mitigate major security risks in the cloud like privileged user account abuse or misuse, unpatched and poorly configured systems, and more. To be more successful at securing resources in the cloud, security teams need to come to the table with real solutions that can fulfill organizations’ internal policy needs, as well as regulatory and compliance requirements. Fortunately for us, there are more options than ever.
Last month I hosted a webinar that discusses some of the biggest challenges are when adapting in-house controls to the cloud, and where we’ve seen security teams struggle to “bring their tools with them”. We’ll also highlight some new tools and capabilities that are changing the game, enabling security professionals to implement the same trusted tools and controls they’ve come to rely on in-house within their provider environments. View On-Demand Webinar

Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.