Moving from blocker to enabler

07 October 2020

Olivier Subramanian, account principal, Contino

Olivier Subramanian, account principal, Contino

Change often brings about a sense of fear and anxiety, and therefore a reluctance to shift to a new way of working. This sense of ‘being outside your comfort zone’ prevents individuals and organisations from executing real change and embracing the public cloud.

We often see disappointing and frustrating outcomes, when old world thinking and behaviours are applied to the new world. The CISO and security function becomes a blocker, instead of enabler.

Many public sector organisations have been embracing public cloud and understanding the difference between the old and new world is a key ingredient when enabling change.

The traditional approach to IT security was to ensure the edge was secure and that the doors and windows were closed, thus securing the perimeter. I call this the Egg model.

The changing threat landscape of public cloud is forcing the adoption of a strength and depth approach to security with controls on each component of the architecture. I call this layered approach the Onion model.

The adoption of modern DevOps delivery techniques is helping to shift security to the left.  This involves building security controls into the platform and application, performing automated security testing as part of the Continuous Integration process, and the introduction of continuous compliance assessment at build and run.

 Given the scope and pace of change, it is unrealistic for an individual to remain completely up to date on all things cloud.

The modern CISO must become an enabler to ensure that the business achieves agility and value of running its services in the public cloud.

The starting point is to trust the cloud and the CSPs.  As a CISO you need to validate the respective security and governance controls yourself.

Each CSP lists the standards and compliance they have achieved through audit reports and attestations:

• Azure: Service Trust Portal

• AWS: AWS Artifact

• Google: Cloud Compliance & Regulations Resources

It is important to satisfy yourself that these independent audits and certifications provide sufficient information to meet your security and compliance requirements. Understanding how these standards align to the UK Government security classifications is a key aspect of the Public Sector CISO. The key standards to familiarise yourself with are CIS, CSA and NIST.

In my experience Public Cloud solutions have been built to successfully satisfy OFFICIAL and OFFICIAL-SENSITIVE classification.

SECRET and TOP SECRET are outside the capability for standard Public Cloud to satisfy due to the global nature of the services and support capabilities.

When you move to the Public Cloud it is important to review the threat landscape and identify the threat actors.  The primary actors to consider are:

• Bad company system admin - company admin that has access inside your cloud environment and takes negative action

• Bad company tenant - this is where there is a malicious activity happening within your cloud tenancy that impacts others

• Bad CSP system admin - a cloud service Provider admin that has access to the cloud fabric and takes negative action on customer services

• Bad CSP Employee - a cloud service provider employee that takes negative action 

• Naughty neighbour (in the cloud) - Another tenant in the cloud taking action on other tenants

• Eavesdropper - listening in to ingress/egress traffic collecting customer data

• Malicious external party - a party not associated with the customer or the CSP that seeks to access the cloud

• Supply chain attack – A party that takes action on the CSP upstream supply chain.

The next stage is identifying the key threats to your public cloud environment across the supply chain. Some example could be:

• Unauthorised code - has someone introduced weak or malicious code

• Data breach - customer data is copied

• Customer admins have “god” status and full control - this increases the blast radius of human error or malicious actions.

• CSP admins have “god” status.

• The DevOps tool chain is not controlled - fully automated pipelines allow bad or malicious code to be deployed automatically.

Having built your knowledge, work with your senior engineers and CSP architects to identify all the mitigations that are needed to manage the threats identified.

This is where the public sector CISO can make a massive difference to the organisation, by driving security to the heart of the organisation culture. I recommend three steps to drive this culture change:

Educate: as a starting point I recommend that the IT security teams should build their knowledge in the key cloud concepts:

Embed: adopt the cross functional team concept by embedding empowered security personnel into engineering teams.  They have delegated authority and knowledge to make relevant security decisions that are within the bounds of the project.

Evangelise: the final task on the journey is to educate the wider community from the c-suite to operations and be seen to champion IT Security and how it can empower the business.

As IT has embraced the latest innovations of public cloud and DevOps ways of working, the role of the public sector CISO is becoming more important.

The journey to becoming a modern CISO is rooted in trust. Trust the cloud and CSPs and enable the IT Security teams and community to drive change.