One thing that surprises me more than it probably should when I speak with people about their security programs is how much “The Cloud” freaks them out. And, after speaking with them for a while, it’s clear they should be worried.
But their habitual response to that worry is…you guessed it:
“We brought in vendor/solution/tool X to help us with that.”
As if more tools and technology will help you really solve problems in the way you think about what you do.
If you’re the one madly waving your hand in the back of the room, you’d be right. The proper solution to “The Cloud” is the same as the proper solution to any other security problem you face:
You need to have the right security architecture in place. And you need to understand what security architecture really is and what it should do for you.
That means it’s not a network diagram, or the way your controls are arranged in your DevSecOps CICD toolchain…or the way your security controls are integrated into the applications and services you have.
Those things are all part of it, but they aren’t “it.”
The part that’s missing is what matters most. And things like the plethora of cloud reference architectures out there just give people one more excuse to not think about what it is they need to be doing so they can focus on the problems “unique” to the cloud instead.
Do you really think exposed S2 buckets are a problem unique to the cloud? Really?
Um…they’re not. It’s just the same access control failure you probably already have elsewhere in your environment. And you have it because you don’t have a clear picture of what policies apply where and how control requirements are inherited from the top, sides and dimensions that define them.
Oh, and not-so-coincidentally, getting that linkage right is also the only viable way to demonstrate the value of what you do. But it’s gotta be linked all the way from the tippy-tippy top to the inky black depths of the code, cables and connections for it to work.
And that’s why people who don’t know what they don’t know keep making mistakes—not new mistakes, but the same mistakes. The Cloud is just like the mirror from Snow White: if you ask it “does my butt look big in this?” It’s going to give you a straight answer you can’t ignore.
That means if we want to stop ignoring the problems we really have…
…and if we want to stop trying to buy bigger, better and stronger band-aids to cover the gaps we find…one…single…agonizing…and…terrifying…step…at…a…time…
We’ve gotta figure out how to do proper security architecture, in focused, functional chunks that actually enable decisions to be made.
And we’ve gotta actually DO IT rather than simply knowing how and finding all kinds of excuses why we can’t actually integrate architecture development and use into our day-to-day security tasks.
Because if we don’t, eventually we’re going to have so many layers of band-aids, we won’t remember what we were supposed to look like.
And by then, it’ll be too late.
Sooo….solving this problem of understanding what architecture is for…how to actually do it every day without finding excuses…and using it to create a unified world across strategy to operations…
…is exactly what you’ll find in the August newsletter. To get it, go here:
If you don’t subscribe before it goes to the printer…
It’ll be gone like those credit card details you left lying around in an S3 bucket somewhere without the right lid.
Andrew S. Townley
Archistry Chief Executive
P.S. Here’s something you can do if you liked today’s post: you can sign up for those daily emails that annoying pop-up keeps asking you about. Or, if you want to know more about what you’re going to get if you do and how it works, then just go knock on the front door: https://archistry.com and you’ll get the whole deal.
Or…you can just keep reading the blog, or ignore me and Archistry all together. I’m good either way.