author photo
By Clare O’Gara
Wed | Jul 8, 2020 | 6:15 AM PDT

Sometimes its useful to take a step back and assess what we've learned.

Amid the chaos of COVID-19 and the rapid switch to remote work, this may have never been more true — particularly around cloud security.

What are the remote work security gaps exposed by the COVID-19 shift to the cloud? What are common factors in cloud security misconfigurations? With cybersecurity features built into many cloud platforms, do you need a third-party or external cloud security solution?

In a podcast conversation with a Aaron Ansari, Vice President of Cloud One - Conformity at Trend Micro, we discussed these cloud security questions and more.

Here are five critical takeaways about cloud security from our discussion.

1.Cloud security and the COVID-19 digital transformation

Nearly every organization accelerated its cloud adoption as the global pandemic took hold, out of necessity:

"There's, an inability for these organizations to be able to support, build, maintain, and create the way that they used to when people aren't there to do it. You can't rack and stack a server, you can't plug in, you can't test, you can't go through your iterative build process anymore. It has to be done remotely. And so there's a huge shift for the organizations that were thinking about migrating to the cloud.

One of the jokes that we've made is, "what actually had caused the digital shift in your transformation in your organization? Was it your CIO? Was it your CTO? Or was it COVID-19?" And the answer is, it was COVID-19. You know, the CIO and the CTO have been talking for years about this digital transformation. And it was COVID-19. That got it implemented."

2. What are cloud security gaps in the work from home environment?

Ansari says there are significant cybersecurity gaps exposed and magnified as a result of COVID created cloud adoption rates:

"Unfortunately, it's at every level. If you think about an open systems interface model or a tech stack, what I mean is: it's at the desktop level, it's at the endpoint level, it's at the mobile phone level, it's at the application level, it's at the network level. Everything that happens from a shift to home.

There's just all these sorts of things stacked on top of each other and compounded, which really caught many organizations, you know, and left them out in the cold because they were being very, very reactive and having to act quicker than they had anticipated."

3. How do limited IT and security skill-sets increase cloud security risk? 

"When you're building a cloud environment, you might be a developer. And as a developer, you are specifically going through and trying to build an application, but you don't have a real deep understanding of database and you don't have a real deep understanding of computers. And so on and so forth. You're sitting there, building this environment by yourself, and you're just clicking. Yes, I need this. Yes, I need this. Next, next, next, next, next, and boom, you've got an environment.

Now, it might be functional for what you're trying to do. But the reality is that you just took a blueprint that you think kind of works and you tried to build your house, and you didn't build your house correctly. It might look like something that it's supposed to on the outside, but on the inside, you put something a little too heavy on one wall and the whole thing comes crumbling down."

4.Why do you need a third-party security solution in the cloud?

"A layered or defense in depth approach is is a best strategy or best practice from a security standpoint or a compliance standpoint, just across the board. And so part of that is relying on what's provided to you from the cloud providers, that's a great foundation to build upon. 

But if you're in a multi cloud environment, if you're in a hybrid sort of environment, if you're in an environment that isn't necessarily as cookie cutter or as simple as you know — and only a simple small percentage of the cloud environments are — you're going to need that validation that comes from the third party solutions. Solutions  that are able to give you cross platform cross cloud, much deeper and much more of a complex understanding of the implementations that they've seen."

And this is where Ansari's team and Cloud One Conformity at Trend Micro come in. The idea is simplification:

"Would you want one solution that is best of breed in in most of those domains, that gives you that complete visibility and simplifies your third party risk, right?

Because if you had six different vendors and six different solutions, you got six different third party risks and six different relationships that you have to manage. Versus when you migrate to Cloud One, you've got one solution, one vendor, someone with whom you trust and somebody who you're only managing the third party risk associated with one organization."

5. What does the future of cloud transformation look like to you?

"I believe and I think and I am seeing that organizations are being a little bit cautious and still trying to maintain some sort of hybrid migration towards the cloud. However, we certainly are seeing the future going serverless, we certainly are seeing the future go towards containers.

Forgive the pun here, since I work for Trend Micro, but a trend is that serverless organizations are going to increase."

Interested in the rest of this conversation? It's one of our many episodes from the SecureWorld Sessions Podcast.

Give it a listen here or on Apple Podcasts or Google podcasts on your device: