Why Is Cloud Security So Hard? (Hint: It’s Not)
Imagine you’ve been riding your bicycle every day to work for the past 20 years. You’ve got all the right gear and the hand signals down pat. You know the routes and even the backup routes in case there is construction or a detour. You can sense when a car is coming, and you automatically compensate.
Now imagine you move to another country where they drive on the OTHER side of the road! Did the bicycle change? Did the asphalt change? No, but EVERYTHING ELSE did!
In theory, you are still able to bike from point A to point B, but now, not only have the roads changed: so did the side of the road you belong to, hand signals, and even bike/car culture and relationship! Everything changed except for the bicycle and the road.
This is what happens when you’re migrating to the cloud: your application didn’t change, but everything around it did.
The way you do network security, logging, and SIEM is different. Identity and Access Management (IAM) is completely different. Your custom WAF rules need to be translated or ported over. How do you triage compromised hosts? Some capabilities may not even be possible with your Public Cloud provider, depending on the features available.
Your application didn’t change, but everything around it did.
Side Note: Failing to optimize your application for the Cloud can be another obstacle. Imagine taking a bike with summer tires and riding it in snow. Is it possible? Yes. Efficient and safe? No. More on this another time…
Conclusion: Moral of the story?
Securing your application is not hard. Securing it in a completely new environment, without knowing the rules of the road, is. Take the time to learn the rules of the road and avoid cloud security speedbumps or accidents. Cloud Responsibly.
Yours,
—Ayman
Ayman Elsawah / AWS Security Strategist
P.S. Would you like some help learning the “rules of the road” with AWS security? Let’s chat! Email me at [email protected] and we can set up a time to talk.
This article originally appeared on LinkedIN on May 7th, 2018.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service) and DevSecOps As A Service.
