Cloud Control: Q&A with Mike McCabe on Bridging the Cloud Divide

March 12, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

‍

Bridging the Cloud Divide: Mike McCabe on Shifting Security Paradigms

This week on Cloud Control, we're diving into the world of cloud security with Mike McCabe, founder of Cloud Security Partners. Mike takes us through his fascinating journey in the tech world, from the early days of cloud security to current trends and the future. He discusses the critical role of OWASP's Cloud Native Top Ten in shaping security practices and offers insights on overcoming common misconceptions in cloud security. Join us for a deep dive into Mike's expert perspective on evolving security challenges and strategies for success in the cloud era 👇

Question 1 💭

Michael, you founded Cloud Security Partners in 2017. Can you tell us what you were doing before that and what led to it? Was there a specific gap you were aiming to fill in cloud security at that time?

Answer 1 🎯

Before I started my own company, I worked in consulting and internal security teams. I mostly focused on application security and then cloud security as it emerged as a new field. In all of my roles, I enjoyed working as a part of a team and solving real security problems the most. Security is a constant struggle between what the business needs and what security knows should be done; we have to find a balance. I started Cloud Security Partners to focus on that. As an industry, we focus so much on finding security issues and washing our hands of them. Finding risks is step one; actually working to get them fixed is just as important. We work closely with our clients to remediate their risks. Either through education or hands-on technical help to ensure risks are closed out.

Question 2 💭

Thinking back to when you first started, how have you seen the landscape of cloud security change, especially with the rapid shift everyone's making towards cloud-native technologies?

The more traditional IT security mindset is that your firewall is your front door, stopping the bad guys from getting in. In the cloud, your front door is every one of the APIs the cloud providers offer to access their services.

Answer 2 🎯

Cloud usage started as a more scalable way to provision infrastructure while avoiding fixed costs. We were sold on the idea of never having to buy a server rack again and scaling to zero when we didn’t need resources. Cloud has grown to be much more than just servers in someone else’s data centers. Using cloud services isn’t really about cost savings but how quickly and flexibly we can get workloads running.

Unique challenges come from being able to scale instantly, and a mindset shift has to happen. The more traditional IT security mindset is that your firewall is your front door, stopping the bad guys from getting in. In the cloud, your front door is every one of the APIs the cloud providers offer to access their services. So, we’ve gone from controlling access with traditional network security controls to using IAM to restrict access. In some ways, this is great because the cloud providers offer very flexible and agile IAM solutions. On the other hand, when companies scale their cloud environments, misconfigured IAM is often one of their first mistakes.

Question 3 💭

You know, OWASP isn't just about the nitty-gritty technical stuff; it really helps mold the security culture in a lot of places. How do you think the Cloud Native Top Ten is changing the way companies think about security and their practices, especially as they're moving into or beefing up their cloud-native game?

Answer 3 🎯

I think the Cloud Native Top Ten is a good start, but it needs to be expanded beyond thinking of traditional application issues just replicated into the cloud. OWASP started as a code security effort; how do we make applications more secure? Now, cloud applications may have zero code (in the traditional sense) but still have huge functionality. The same concerns we had with traditional application security need to be expanded to encompass everything developers and companies should consider in the cloud world. It should also focus more on cloud-native solutions. The Cloud Native Top Ten needs to inform companies about the confluence of application and cloud security threats and how you build defenses against them.

Question 4 💭

From what you've seen, what are the biggest myths companies tend to believe about cloud security? And how do you guys at Cloud Security Partners go about clearing up those misunderstandings?

I think one of the biggest mistakes we see made is thinking of how you design your cloud environment with traditional network controls vs leaning into cloud-native controls with IAM.

Answer 4 🎯

I think one of the biggest mistakes we see made is thinking of how you design your cloud environment with traditional network controls vs leaning into cloud-native controls with IAM. A lot of companies may not admit it but they’re on their second or third iteration of their cloud model. They tried lift and shift and found the same issues were present in the cloud as they were on-prem. It’s very hard to utilize the cloud well without leaning into the model and utilizing cloud-native controls and models. This means relying on IAM and non-traditional network controls vs trying to recreate your on-prem environment in the cloud. Then, figure out a model that works for you and scales at the same time. We also have to think about how we prevent issues vs trying to remediate them. We can’t scale our security teams to the size of our cloud infrastructure. So, using things like infrastructure as code and application security-like processes is a very effective way to prevent security issues.

Question 5 💭

You work with both startups and big players, right? I'm curious, what kind of cloud security gaps do you usually find that they tend to miss? And how do you tackle these issues differently in each case?

Answer 5 🎯

Interestingly, we don’t always see a huge difference between the issues that our large or small customers are dealing with. Both struggle to deal with misconfigurations and IAM in the cloud. Small companies have little or no dedicated security people to deal with the issues. Large companies have lots of security folks but are operating at a scale that makes fixing issues much more difficult. Something I say to a lot of folks curious about their cloud security is to look at their CSPM solution today and how many critical alerts are sitting there not being addressed. Small companies don’t always have the internal knowledge to know what to fix and how. Large companies are often overwhelmed by the scale of the issues.

Our approach is to make sure small companies are working towards remediating the biggest risks that will have the largest impacts. For larger companies it’s helping reduce the noise and also focus resources on fixing the big issues but doing it at scale. Prevention is the only cure in the cloud. We can’t test and fix our way to security, so we help large companies build patterns and models to build security in. Again, we focus on how to help companies prevent these issues from occurring vs how to remediate them. We, as security teams, can never scale to the size of the issue. We have to make the issues manageable at our size.

Question 6 💭

The cloud's always changing, and keeping up with security threats is like being in an ongoing battle. Is there a new cloud security threat on the horizon you think isn't getting the spotlight it deserves? How should folks in the field gear up for it?

Answer 6 🎯

From our experience, we’re seeing more attackers utilize cloud-native services to gain and retain access. There are so many services cloud providers offer now. Almost all of them offer ways to exfil data in a benign-looking manner without triggering alarms. There are also many ways to persist in environments without seeming malicious. We see more attackers being very knowledgeable about ways to utilize these services to persist in environments and to avoid detection completely.

Question 7 💭

You've got a ton of experience in application security. How do you think companies should tweak their AppSec game to fit better with cloud-native and hybrid cloud setups?

Answer 7 🎯

In the cloud, when you combine these vulnerabilities together, you give attackers a huge amount of access to your environment.

Companies and security orgs have to understand how application vulnerabilities and cloud models intersect. The classic example is the combo of SSRF and IMDS. Attackers use server-side request forgery (SSRF) to access the underlying role of an instance via AWS IMDS. In the on-prem world, having access to a server would mean having access to the internal network but not necessarily also a huge amount of data stores like in the cloud. In the cloud, when you combine these vulnerabilities together, you give attackers a huge amount of access to your environment. It’s all too common to over-scope roles so that servers have more access to data they shouldn't access. We are still building models and methods to really segment data and access properly to avoid these issues. We have the tools but our security teams and application teams haven’t come together to implement it in many companies. So, AppSec teams have to understand cloud security and vice versa because they are not isolated from each other at all anymore.

Question 8 💭

Have you ever been in a bit of a pickle with clients, needing to get super creative to fit a solution into some really tight constraints or rules? How did you manage to keep things compliant but still nimble when it comes to cloud security?

Answer 8 🎯

In security, we’re always balancing what businesses will do and what we want them to do. It’s our core job to explain and help mitigate the risk without trying to shut down the business. Sometimes, we find a solution that solves the issues and doesn’t impact, sometimes the opposite. A lot of the time, we have to find a compromise where there’s limited impact on the business, but we might not remediate a risk completely.

An area that may be interesting for AI in cloud security is autoremediation. It’s a control we haven’t seen implemented nearly enough, in my opinion. At the speed and scale of cloud implementations, you have to remediate in a more automated fashion. This has had low adoption from companies as they’re afraid of the potential downsides. Utilizing AI and enriched data about issues may lead to more trust of automating certain issues away.

Question 9 💭

AI is of course the hot topic right now. So, what strategies would you recommend for organizations looking to futureproof their cloud security posture with AI?

Answer 9 🎯

I have a lot of concerns about issues with AI models and the integrations themselves but a lot of it comes back to data security. I’m curious about what issues we’ll run into when we integrate LLMs or AI into decision-making; that scares me a bit. Otherwise, we have a lot of concerns with data security and AI as well. Where are we storing it, how are we controlling access, where is it leaking via models or otherwise. Some things are certainly new in the AI space; some things are the same concerns we haven’t eliminated elsewhere. An area that may be interesting for AI in cloud security is autoremediation. It’s a control we haven’t seen implemented nearly enough, in my opinion. At the speed and scale of cloud implementations, you have to remediate in a more automated fashion. This has had low adoption from companies as they’re afraid of the potential downsides. Utilizing AI and enriched data about issues may lead to more trust of automating certain issues away. Let’s hope.

Question 10 💭

Looking ahead, what emerging trends or technologies do you believe will significantly impact cloud and application security in the next 5-10 years? What about the even nearer term?

Answer 10 🎯

I think the next 5-10 years will be a continuation of what we’ve seen starting in the cloud world of utilizing the best service for the use case without caring about the provider. I think most companies will become multi-cloud without thinking about it. Teams will adopt services from various providers, and the security teams will have to catch up and learn to secure them. This includes not only the IaaS and PaaS providers but SaaS as well. We’ll see more and more dispersed workloads on various platforms for what works best for the use case. Including truly serverless services that we have zero code-level control over. This will be a huge challenge for security teams as we often struggle with one platform, much less dozens. Obviously, every company will be experimenting with or integrating AI into their products, which means dealing with all the risks that AI introduces. I think for application and cloud security practitioners, we have to keep experimenting and learning to keep up with the pace of developers and IT teams and the solutions they are building. It’s gonna be fun!