10 Harsh Truths About Cloud Security
As a specialist in cloud security due diligence and third-party security risk management, I present the hardest aspects of the discipline. Questionnaires and scanners have created a culture of "checkmarkism" that lead to fast results but low value advice.
I completed over 400 cloud third-party risk assessments. Working for a cloud vendor, I also participated in over 200 due diligence processes. I'm on both sides of the fence. This position provides me with unique insights into how companies approach third-party management in an era of cloud ubiquity.
And I'm here to tell you that cloud vendor security assessments face formidable challenges, some of which I've yet to find a solution to.
This week's article idea came to me when I saw how the MOVEit file transfer app hack is becoming an 8-figure worldwide catastrophe.
On the surface, MOVEit looks like any other "secure" software company that deals with data. See, looking at the MOVEit website, you find marketing posts about "Increasing Collaboration at Work While Reducing Security Risk", and, I kid you not, "How MOVEit Enables Regulatory Compliance". Its security page lists MOVEit as owning all the standard certifications on the market such as ISO27001, SOC2 and PIC-DSS! They even post their information security policy online.
Plus, you have hundreds of companies spanning healthcare, financial services, and governments, who all did their due diligence on MOVEit. And there we are. Could this disaster have been avoided?
The truth is, to a certain point, it's impossible to predict which cloud vendor will become the next MOVEit. But, despite the difficulties I will outline below, that doesn't mean we are completely powerless.
But first, let's look at some problems we need to overcome.
You Need Cloud Vendors
"The cloud is merely someone else's computer." I'm sure you've heard that one. The recent explosion of AI put that idea to rest. AI requires a massive amount of computing. Guess what? Chips optimized for AI have become a hot-topic geopolitical issue. China and the US are in a trade war over them.
In short: an insurance company in Michigan isn't getting its hands on AI computing infrastructure anytime soon unless they use cloud services.
This is not a piece on the benefits of the cloud. I'll list some considerations about why a majority of organizations pick cloud vendors for all their software needs:
- Reduce undifferentiated engineering. Talented human developers and IT specialists are one of the most scarce resources for any company. It's better to pour your resources into your core business apps.
- Automatic updates. Cloud vendors remediate thousands of vulnerabilities daily, invisibly. No need to install a new version of the software.
- Geographic accessibility. Newsflash: videoconferences with lags suck. You can't pull this off on-premises, especially with organizations with a presence on both coasts or across continents.
The Cloud Shared Responsibility Model is not Well Understood
The wildest story I know about cloud due diligence is about a poor vendor that had to wrestle with a customer requirement about putting their data in an "air gap". What is an "air gapped" system? The definition varies, but the generally accepted notion is akin to the computer room in those Mission Impossible movies where Tom Cruise is suspended on cables trying to hack them.
Now, here's the thing, the whole point of cloud computing is it being... a shared infrastructure, also known as the exact opposite of an air gap.
How can this happen? This story shows a misconception on the customer's side about the responsibility model. Depending on the type of subscription, customers relinquish a certain part of responsibility to the vendors. The greener the column, the less you have to worry about. Thus, asking for dedicated compute, networking, storage, hardware and facility was a customer that wanted the whole blue part when buying a SaaS product.
Providers are no better. Most immature SaaS vendors will "hide behind" their hosting provider. "We're secure because we run on AWS" doesn't cut it. AWS is an infrastructure provider first. There is not a lot of green in IaaS!
So you have this weird situation where 1) companies ask the cloud providers for things that make no sense in a shared infrastructure context and 2) providers shy away from their responsibilities.
No wonder everybody's confused. Or shall I say... In a fog.
Checkmarkism is a Plague
As a security specialist for a SaaS provider hosted in AWS, my pet peeve is customers requiring a specific colour for our network cables.
"This is our standard".
So if you want blue and another customer wants pink, what gives?
Scaling the due diligence process in a manner that does not suck for either the vendor or the customer is the biggest mystery in the current enterprise cloud market.
I understand both realities. Companies use on average 250+ SaaS apps. Cloud vendors have hundreds, if not thousands of customers. A provider cannot tailor its security measures to everyone. A customer cannot keep track of every specific quirk of each vendor.
For now, companies use dreaded questionnaires to scale their reviews. The longest I did was over 900 questions. The problem with questionnaires is their binary nature. I only use them as a last resort in my own third-party reviews, as I feel they don't give an accurate view of the companies' security practices. Let's face it, almost every vendor that filled my questionnaire's primary objective was to "pass", not to help me understand how they do things.
The problem becomes evident when looking at things from the vendor's point of view. There isn't a unique, objective good way to secure a company. There are local privacy and labour laws. There are security technologies that are not cost-effective. There are contradictory password requirements. But the questionnaire only takes a yes or a no, and every "no" is an automated escalation.
Which means...
You Need Security Specialists to Make it Work (for now)
If you are involved in procurement or legal negotiations, here's a cheat code to streamline your process when you are in a dreadlock: get two security people on a call to sort it out together.
Why do I know? I've hopped on many calls, on both sides of the fence, and untangled many problems. "We're not using this preventive control due to the impact of false-positive on application uptime, instead we rely on increased user training and detection measures." "Makes sense given our availability requirement is higher than our confidentiality classification, accepted."
This is probably a knock on the security specialists as a whole, but our jargon and perspective are still too hermetic. I remember an anecdote where a provider had more than doubled our basic Recovery Time Objective (RTO) in our contract template. Our legal counsel reached out to me, ready for a comeback. I looked at the use case and shrugged it off: "Availability is not a big concern for this app, accepted". Turns out I hadn't explained to anyone what was an RTO in the first place!
Resellers are a Double-Edged Sword
I have a mixed relationship with resellers. These companies buy software licences "in bulk" at a discounted price from the likes of Microsoft or ServiceNow, and then resell (duh) them back to customers at a lower price than the list price along with implementation and support services.
The good thing about resellers is having someone that cares about you. Unless you're the Pentagon or NASA, large providers such as Microsoft don't care about smaller deals. Good resellers can even become partners and advisors.
The bad thing about resellers is you have no direct relationship with the cloud provider. The Microsofts of the world sell at a discount for a reason: they're buying convenience. If you buy from a reseller, you don't have a direct relationship with the provider. They may not even have your contact information to inform you of an incident... This also means you are stuck on the cloud vendors' "clickwrap" deal, which is typically lopsided towards the vendor. Fun anecdote: I've seen a vendor restrict its liability to $2 in a clickwrap deal.
Regulation Breeds Lower Competition
Looking at privacy regulations, especially the GDPR, as a human rights issue is beautiful. At its core, this is what privacy is about and it is a worthwhile cause.
But then there is the actual enforcement of the law.
Regulations like the GDPR incentivize companies to gravitate towards larger established companies because they're the ones who can hire privacy specialists to implement compliance... or absorb the fines.
Lawmakers made the situation even worse by putting an extremely high bar on anonymization thresholds, ruling that IP addresses are personal information, classifying business contact information at the same level as personal addresses, and...whatever is up with cookie banners.
Whenever a business use case involves personal information, the shortlist of available vendors thins out.
Onsite Audits Work. But You're Not Getting Them
One of my main tasks currently involves coordinating external security audits (and making them fun). Once I've shown the evidence and explained the approach behind them, I believe the auditor obtains an accurate picture of our practices. In a due diligence setting, if you are about to spend millions on a cloud relationship, I recommend an external audit to protect your investment.
But here's the thing. I said millions. All the vendors I have reviewed put some type of limitation on how much you can audit them. And for good reason! Audits take many days and slow down business operations.
On the other hand, a poor substitute for audits is...
Automated Scanners are Awful for Vendors
Some companies attempt to solve the "questionnaire mystery" with automation. They are the "security ratings platform". What these tools do is scrape the web for any SaaS's (say that out loud) digital footprint, and afterwards run every open-source vulnerability scanner on them. They crunch a rating out of that to gamify the whole thing. "You got an F!"
The problem? Picture yourself as a cloud vendor. G2 lists 185 security risk analysis vendors. A good automated vulnerability scanner has an accuracy of around 76%. That's a lot of false positives to sift through, on a inhuman number of platforms.
These automated scoring apps bring the problem back to the questionnaire conundrum. It's fun to gather structured data for reports, dashboards and heatmaps. It's even easier to just require a more or less arbitrary number to have a vendor "pass". But ultimately if nobody is trying to understand the context, what value does it bring?
AI Will Turn Everything Into Noise
Fun fact: I had a product research session with a vendor who uses generative AI to autofill due diligence questionnaires on behalf of cloud vendors. I also had a call with a vendor who uses generative AI to autoread security questionnaires. These products are live.
The future of the discipline will be AI talking to each other in a language neither language models understand.
The questionnaires, the standards and the automated scanners, for their thirst for automation, are paving the way for generative AI to create a bunch of useless insights.
If we want to remain relevant advisors, we must acknowledge that whatever information we gather needs supplemental insight to be valuable.
A machine can chase a checkmark.
A machine can answer a questionnaire and ask for follow-up questions.
A machine can spit out a third-party risk assessment.
However, a machine cannot really understand an application's security design, a company's security program and strategy, based around current business objectives and priorities. Well at least not yet.
Insurance Companies Can Save the Day, But Will They?
If you were to ask me how I would automate my job to remove myself from the due diligence mumbo jumbo, I would put my hopes in insurance companies.
Insurance companies have the necessary data about breaches, plus actuaries' math wizardry, to evaluate security risks in a quantifiable, "moneyable" manner.
The biggest flaw of security scanners is that they are external and are making guesses on an environment that they don't know.
Insurance companies, as independent intermediaries, have access to embedding their advanced scanners in their customers' IT systems.
We're already seeing compliance automation platforms using their agents to generate SOC2 reports.
I imagine a marriage of our current auditors with insurance underwriters who could blow our minds with correlations on their clients' postures.
Thinking outside of the box, maybe we will get informed of a vendor's security maturity by looking at how our cyber insurance premiums change.
Now, the last time I did an insurance claim on my car, I dealt with faxed documents. I'm not holding my breath...