Uncovering Hidden Risks 5.29.24
Ep 18 | 5.29.24

Navigating Multicloud Security Risks: A Customer Story

Transcript

Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now let's get into this week's episode. Welcome to another episode of the "Uncovering Hidden Risks" podcast. In today's episode we will discuss multi cloud security risks. Specifically we'll be talking with one of our customers about their journey uncovering the challenges and strategies for safeguarding cloud native applications across various cloud platforms. You will hear valuable insights to bolster your defenses in an ever evolving threat landscape. So get ready to transform your approach to multi cloud security. Let's start by introducing today's guest who will join us for the discussion. Christian Koberg Pineda is a principal security devops engineer with five years of experience in cloud security working at a large retail company with a presence in more than six countries and South and Central America. Christian, welcome to the show.

Christian Koberg Pineda: Thank you for having me. It's a pleasure to be here.

Erica Toelle: Also joining us today is Bojan Magusic. Bojan is a product manager in the customer experience engineering team at Microsoft. In this role he acts as a subject matter expert for large organizations looking to realize the full value of Microsoft's cloud native application protection platform. And also as an aside if you would like to learn more about CNAPP solutions please check out our previous episode of "Uncovering Hidden Risks" where we talk about that solution area in a lot of detail. Bojan, also great to have you here. Thanks for joining us.

Bojan Magusic: Great to be here. Thank you, Erica.

Erica Toelle: And with that let's dive into today's topic. So Christian, what are some of the challenges when using more than one public cloud provider?

Christian Koberg Pineda: Well, Erica, there are a lot of challenges in this regard. There is an inherent risk by complexity. For example monetary entity and access, cloud governance, and also the different scales that teams need to have are only a few. I will say that what is most challenging about multi cloud environments is that now you have more than one environment to manage in ways that could completely differ between one another. This of course applies to security as well. So now you need to take into consideration for example the different security configurations for each resource type and its cloud provider. That is why you should standardize and centralize as possible. Also if you already have some security solutions you need them to be able to be implemented and to perform in or for its cloud. If not, you should find solutions that will log in hopefully for cloud native solutions.

Bojan Magusic: Christian, I have a follow up question around that. And drawing upon personal experience and you also touched upon how configurations and even technical implementations between different cloud providers can differ, I'd love to get your thoughts on what do you believe is most important when organizations look to standardize cloud security posture across multi cloud state.

Christian Koberg Pineda: In that regard I think the metrics are a very important topic. You must be able to speak the same language across different clouds. For example, use international standards and best practices. This could be relevant also for upper management and you must be able to measure progress and avoid confusions when reporting security statuses. Also when reporting vulnerabilities to organizations or teams that remedy them and one good approach here is to have a centralized CSPM solution.

Erica Toelle: Christian, do identities and challenges with managing different identity providers also tie into the complexities of operating more than one public cloud provider?

Christian Koberg Pineda: Yes. And identity differentiation is a key topic to consider when dealing with multi cloud environments. It can be very challenging to manage different identity management solutions for each cloud provider when you use more than one. And the right approach is to centralize in one reliable identity management tool, but of course you also need to have a break the glass account for extreme scenarios where an identity provider may fail. For example one problem that I encountered once was that some coworkers registered in our cloud environment with same domain as the company, but they were local accounts. Those kind of accounts are risky because they do not have the security configurations that you set for the federated accounts such as enforced MFA or expiration time for sessions. Another one can be the impossible travel. And this could lead to a false sensation of security regarding access management. And for this you need to consider the specifics of the different cloud providers to be able to configure the identity management solution properly.

Erica Toelle: From your experience, what are some key things that organizations should look into when they go about standardizing cloud security posture management in the real world across maybe more than two public cloud providers?

Christian Koberg Pineda: Well, focus on what is important for the company risk wise. Also add baselines to your company necessities. Look for cloud native solutions with good integrations. This is very important for that integrity. Also search for scalability and automation, flexibility and customizations. You need to be able to take the correct approach for each scenario. And of course a reporting on remediations.

Bojan Magusic: Christian, how important do you consider flexibility to be of what an organization wants to measure when they're looking to standardize CSPM across multiple public cloud providers?

Christian Koberg Pineda: I think that that is very relevant and depends on how mature the organization is to be able to adapt and change or if the teams have the necessary skills to resolve active vulnerabilities from bad configurations and to act quickly on them. Or for our teams to be able to change the form that they develop. When an organization has many different development teams it's hard to standardize all the organization at once to a high level of security. Or make broad changes in the way that they develop. So in some cases you need to be more strategic in how to on board the security compliance in your organization. And one approach is to go in waves. Of course there are vulnerabilities that need to be remediated no matter what as soon as possible. But it's good to have this flexibility on board.

Erica Toelle: Christian, one of the challenges that we hear organizations facing is the struggle to properly secure cloud native applications and infrastructure throughout the full life cycle. And we recently released a research report called the 2024 state of multi cloud risk report where we found some key insights to help understand exactly why secure development and deployment processes are so critical. At the development level we found 65% of code repositories contained source code vulnerabilities in 2023 which remained in the code for 58 days on average. In your experience, how can CNAPP help to proactively identify and manage risks such as source code vulnerabilities before they can be exploited?

Christian Koberg Pineda: Well, CNAPP is like the big provider of CSPM and CWPP solutions. It gives you the possibility to manage security for your deployments or solutions considering the full life cycle. This way you can detect vulnerabilities that could be present from the start and remedy them before you go to production. You can do this by implementing security checks and controls in your pipelines to test for example if you have hard coded passwords or vulnerabilities in your dependencies. Also if you are using micro services or containers for your applications you could check the vulnerabilities in the container image before you deploy it. This is very helpful in I guess scenarios where you need to iterate rapidly in the development life cycle. So this allows to develop and development teams to productively remedy vulnerabilities before they are exposed to attackers. And of course for large organizations with many different developers, it's easy to get overwhelmed and [inaudible 00:09:25] to prioritize. So having fewer vulnerabilities to remedy at once is a very good thing.

Bojan Magusic: As multi cloud environments grow in scale so too does the number of various resources that they house. Christian, in your experience do you see more risks with certain resource types compared to others? Like from all of the resources that an organization has in their multi cloud environment, which resource types do you consider to be most at risk?

Christian Koberg Pineda: Well, this is a really good point. When we speak about clouds, scaling, and comms integrated, so one of the most relevant characteristics of cloud computing is that you can scale things on demand. And as cloud security expert you must think in scale too. You need to implement the security tool that is also capable of scaling and together with your infrastructure or your service. Take into consideration, for example, when you implement an EDR solution, vulnerability scanning solution [inaudible 00:10:33] virtual machine that could potentially scale. If your solution doesn't scale with it, you will be protecting only a part of your infrastructure. And if you also do not realize this you will be having a false sensation of security. And in security this is a very dangerous situation. And yes. Some resource types could be more at risk than others, but it depends on how they are configured and how exposed they are. Also whether it is a new resource type or not, this brings also the topic of the maturity of the cloud provider when developing a new service to offer. At the beginning, for example, some cloud providers didn't have the secure configurations as default or the resource didn't have a way to be secure. Personally I consider everything that could be exposed as a high risk resource type, but in that group for me in virtual machines including Kubernetes nodes and databases are the most important ones. There are a lot of bots scanning public IPs trying to find that bridge on the resource. For example, if you deploy a virtual machine with public IP and an open firewall, it will be targeted from several countries at least once in the next 30 minutes. Other resource types that are more and more used are the serverless one. And for those as for the instances it is important not to expose them directly. In my experience it is best to implement a load balancer in front of them and add a WAFT-type solution.

Erica Toelle: Earlier in the podcast you spoke about the importance of identity management. Closely related to that, the multi cloud risk report found that when we looked across the permissions assigned to users across the cloud applications only 2% of the assigned permissions were actually used. And 50% of those assigned permissions were considered high risk. What are your thoughts about this?

Christian Koberg Pineda: Well, Erica, access and permissions is another crucial topic when speaking about cloud. For example when the devops teams needs permissions to something cloud normally the cloud admin assigned roles to them or to automated accounts such as service accounts or service principles. It depends on the cloud provider, but those permissions could come in roles meaning a group of permissions. And in some cases the cloud admins assign a role that has more permissions than necessary because it's easier than narrowing down the exact permissions needed. So there will be permissions that will not be used. The recommendations here is to assign only permissions that are strictly necessary and/or assign roles following the least privileged principle. Even some cloud providers let you create customized roles. In addition it's important to review those permissions from time to time to evaluate they are still necessary or up to date.

Erica Toelle: Christian, looking ahead to the future, what are some things you believe are going to impact how organizations secure multi cloud environments?

Christian Koberg Pineda: Well, for me it's the use of next generation AI. To think how it will be used for assessing the cloud security posture in more complex scenarios or how next generation AI can be used to attack organizations with differing structure in cloud. To think the potential that this technology has to learn on the go is frightening. And that brings us to the question. How to defend organizations against next generation AI attacks.

Erica Toelle: And Bojan, when you look ahead, what are some of the things you think are going to impact how organizations secure multi cloud environments?

Bojan Magusic: I'd echo Christian's point around generative AI and I believe AI in general even can as a tool be used for either good or bad. It really comes down to how it's used and who wields it. So I believe we're at this very precipice of seeing gen AI in action and I'm expecting to see more ways how generative AI can help us defend both the quality infrastructure against cyber attacks. At the same time I believe we need to give generative AI the hard tasks. While we can use it to automate simple tasks, I believe that by giving tasks that are hard to accomplish in real life, for example remediating misconfigurations across different public cloud providers or even technical implementations of the solution can differ, this is where I believe we're going to see generative AI add a lot of value and even super charge the way we make our quality infrastructure, but also our multi cloud environments more secure.

Erica Toelle: So thank you so much, Christian and Bojan, for joining us today. That's just about all the time we have, but we do have a tradition on this podcast. At the end we ask all of our guests what is your personal motto or what words do you live by. Christian, would you like to start?

Christian Koberg Pineda: Well, I don't have really a personal motto, but I really like to innovate so I am more ways trying to think about the future in technology because in a lot of cases that future is already here.

Erica Toelle: And how about you, Bojan?

Bojan Magusic: I'd love to approach each challenge with a desire to learn something new and to enjoy the journey. So I'm going to go with that.

Erica Toelle: Well, I think those are both very wise words. So thank you so much for sharing. And thank you also so much for joining us on the podcast today. Christian, I learned a lot from you and I really appreciate you taking the time to join us. And Bojan, thanks again for being our guest host.

Christian Koberg Pineda: Thank you, Erica. Thank you for having me.

Bojan Magusic: Thank you.

Erica Toelle: We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode and don't forget to tweet us at msftsecurity or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform. And you can catch up on past episodes on our website uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs and it's up to you where to focus. [ Music ]