What's in the Cloud?
Melissa: Chief Information Security Officer
Noah: Security Engineer
Amber: Head of Assurance and Compliance
Melissa: How can we get a list of all Cloud deployed applications?
Noah: We don’t have any capability. Everything changes so fast, CI/CD and infrastructure as code makes it rather hard to track deployments across the environment.
Melissa: We have 50 vendors, and we cannot answer that question?
Noah: We can build it. It would be helpful for the Application Security teams, the Incident Response Team, and the Compliance team. DevOps and Architecture teams might find it useful too.
Amber: Would I be able to get details about applications and compliance obligations without going to 20 different teams. Coordination is so hard. It is so frustrating.
Noah: We can build that too. That would be easy. 4 Engineers, A Technical Program Manager, and a business analyst, and we can do it in 8 months, and of course, we have to maintain it afterward. But we can build it.
Melissa: (In her head) That would be a million dollars in just resource cost. There has to be a better way.
“No one knows what’s in the Cloud, especially your Cloud.”
As an industry, we have focused on the shiny new things, the best of breed, whatever is in the news while neglecting the fundamentals. Fundamentals, basic hygiene. Asset management and tracking, program management. Cloud has aggravated this situation. Deployments and the need to generate value quickly are so high that there is a constant churn in most Cloud environments. In that backdrop most organizations struggle with answering basic questions like:
- How many cloud applications and workloads do we have in the Cloud?
- What are their business severity and risk? What data is processed by each?
- Where are they deployed? When were they last updated?
- What is the deployed architecture? Does it match the designed architecture? What was changed?
- What is the relationship between deployed applications and the underlying infrastructure?
- If I see a URL, can I track it back to my infrastructure and back to my code?
All teams need these answers. For example, incident response teams need it during investigations, the Application Security team to perform Threat Modeling, prioritizing vulnerabilities and approvals. DevOps to monitor changes in the application, Assurance to track evidence, and readiness assessments. The use cases for this fundamental capability are endless. Yet, most organizations struggle with these questions. Pick any Cybersecurity or Information Technology framework. The first control often is asset management. Lacking real-time automated asset management, we all struggle with handling the Cybersecurity program. We have all heard about the exposed S3 bucket that no one knew about, that EC2 instance exposed to the public, that RDS database in a public subnet with Personally Identifiable Information that deployed an application that looks like a completely different beast in production.
Asset management is often delegating as IT’s responsibility. Sometimes that works, but more often than not, it does not. Lack of good asset management often translates to a lack of suitable program performance measurement, that Peter Ducker quote. “If you cannot measure it, you cannot improve it.”
To get better at Cybersecurity, it is time we get better at fundamentals. So instead of running after the latest FUD, we focus on getting the basics right. But not as a standalone capability but an integrated capability that enriches every other capability — it becomes a Force multiplier. Once the fundamentals are correct, we have a better chance of building something sustainable and right-sized. Perhaps we might not even need 50 vendors.
Ahsan Mir is CEO of Rapticore, a cybersecurity startup. Ahsan has extensive experience in security operations, incident management, and leadership. He enjoys reading, trail running, climbing, and feeding birds. He can be reached on LinkedIn.