Consumption of public cloud is way ahead of the ability to secure it

Even though it is easy enough to prevent S3 buckets leaking onto the internet, Barracuda says people haven't worked out how to use the native cloud security controls properly.

As companies need to build applications to cater for distributed workforces, the use of public cloud is a no-brainer, but as the parade of companies failing to secure S3 buckets shows, cloud customers are failing to secure it properly.

"What we've seen across the board is most customers consumption of public cloud is way ahead of their ability to secure it," Barracuda senior vice president of data protection, network and application security Tim Jefferson told ZDNet.

"They haven't figured out how to use the native services securely and how to instrument the controls because in many of those cases they're very developer focus, so you'd have to essentially be a software developer to really understand how the application teams are using the native services, and then get your head around the best way [of] architecting controls."

For Jefferson, he believes the solution is sitting right there on the cloud platforms themselves.

"The magic of public cloud is all the instrumentation and monitoring is done, it's sitting there for free, which is historically the most expensive and hard part to do on premise," he said.

"The trick now is just knowing how to call those APIs and suck in that telemetry and make it more actionable which companies like us have ... we can identify within seconds, every resource that's deployed, who deployed it, what its configuration state is, and how does that compare against best practice and then you can automate remediation."

See also: Cybersecurity starts with the network fundamentals

Siran Eren, founder and CEO of zero trust access provider Fyde until November when the company was purchased by Barracuda, added it is possible to keep an eye on multiple clouds through a single interface.

"If you have Azure deployments, if you have a hybrid environment with AWS and GCP in the mix, you might have SaaS solutions like Office 365, Salesforce, you now have a control plane for security controls that basically covers all of them from a single poison policy point of view," the now-vice president of zero trust access said.

"From this platform, you get a single control plane that spans over all your applications and you can define very broad yet granular policies from a single point. That's what I think we're in the business for, not point products any more, something that spans across cloud service providers and SaaS solutions."

As the shift to working from home at the start of the year began, the old reliance on the VPN showed itself to be a potential bottleneck to employees being able to do what they are paid for.

"I think the new mechanism that we've been sitting on -- everyone's been doing for 20 years around VPN as a way of segmentation -- and then the zero trust access model is relatively new, I think that mechanism is really intriguing because [it] is so extensible to so many different problems in use cases that VPN's didn't solve, and then other use cases that people didn't even consider because there was no mechanism to do it," Jefferson said.

Going a step further, Eren thinks VPN usage between client and sites is on life support, but VPNs themselves are not going away.

"I would say to client-to-site VPN is gone -- that's going to be replaced with zero trust -- but site-to-site VPN is actually going to remain and zero trust is going to be on top of it," he said. "They're complementary."

Another effect from needing to handle a dispersed workforce has been the collapse of what was formerly a fairly-well defined corporate network perimeter.

Must read: Living with COVID-19 creates a privacy dilemma for us all

According to Jefferson, the new best practice is to push security controls as far out to the edge as possible, which undermines the role of traditional appliances like firewalls to be able to enforce security, and people are having to work out the best place for their controls in the new working environment.

"I used to be pretty comfortable. This guy, he had 10,000 lines of code written on my Palo Alto or Cisco and every time we did a firewall refresh every 10 years, we had to worry about the 47,000 ACLs [access control list] on the firewall, and now that gets highly distributed," he said.

"We even saw that in web application firewalls where instead of having a single web application firewall across many applications, now you tie [a] single web application firewall rule set per app, which makes it loosely coupled and then you can scale independent with the individual application, you can tune the rules in.

"I think that's been a big shift ... getting away from the tightly coupled centralised policy enforcement to highly distributed push out to the edge loosely coupled architecture."

Related Coverage