In this six-part blog series, the RSAC editorial team highlights the six buzz topics featured at RSAC 2022. Each blog will highlight one of the most popular topics and trends seen within related sessions. Our fifth topic is cloud security & CloudSecOps.
Security Industry Call-to-Action: We Need a Cloud Vulnerability Database
Pete Chronis, SVP, CISO at ViacomCBS
Ami Luttwak, Chief Technology Officer & Co-Founder at Wiz
John Yeoh, Global Vice President of Research at Cloud Security Alliance
This trio examines the security world of the pre-cloud era, the security cloud era that we have today, and how they differ in terms of vulnerabilities. In the pre-cloud era, users were fully responsible for the security of their hardware, network, servers, identities, and everything else. Security in the cloud era means cloud vendors shouldered responsibility for physical security, servers, network, hardware, managed services, and storage, while cloud users are responsible for application (CVEs), configuration, identities, and data.
The problem lies in that cloud vulnerabilities are different. There are new types of vulnerabilities (not software), such as configuration and identity vulnerabilities. Software owned by cloud providers has no defined patching process, no software version, and complex remediation steps.
Continuous Security—Integrating Pipeline Security
Vandana Verma Sehgal, Security Relations Leader at Snyk
Sehgal led her session by mentioning that the age-old battle of developers versus security versus operations still exists. Integrating security practices with the DevOps process can still be painful. DevSecOps fosters a blameless culture and focuses on the secure delivery of software.
You don’t BUY DevSecOps; you DO DevSecOps, says Sehgal. DevSecOps is an approach, a mindset, and a combination of culture, process, and technology.
Security practices must keep up with the agile pace of the cloud era. A successful program starts with the people and culture. Training and awareness, explaining and embracing new ways of working, equipping teams and individuals with the right level of ownership and tools. The new wave of CloudSecOps is a security-first approach.
Cloud Security: How to Defend Healthcare Data in the Cloud
Sai Gunaranjan, Principal Architect at Veradigm
Kyler Middleton, Cloud IAM Advocate at IAM Pulse
Digging right into the platform readiness stage, Gunaranjan and Middleton broke down AWS, Azure, and DevOps into readiness checklists on how to defend healthcare data in the cloud:
Cloud Platform Readiness Checklist for AWS: (1) Infrastructure as Code bootstrapping, (2) Flow logs and control plane logs aggregation, (3) Private network segmentation by environment and product, (4) CloudFront + Web Application Firewall (WAF)
For Azure: (1) Management groups, (2) Custom RBAC definitions (3) Centralized logging (4) Deploy Azure policies (5) Deploy Azure Defender for cloud/Azure Sentinel
DevOps Platform Readiness Checklist: (1) Remove public agent access, (2) Enable only trusted actions and extensions, (3) Remove access to host public pages or repos (4) Integrate with IDP solution to use corporate credentials
Read all of the series: