“With India’s population size and huge economic posture, there are plenty of potential valuable targets, making it no surprise that the country deals with as many data breaches as it does,” Nathan Wenzler, Chief Security Strategist, Tenable, said.

With over 20 years of experience both in the public and private sector, Wenzler specialises in assisting executives and security professionals develop their security strategy, comprehending their cyber risk, and enhancing their security posture.

In this exclusive interaction with Analytics India Magazine, Nathan Wenzler discusses cloud security in the Indian context, threats from APIs, third parties and challenges associated with cloud security posture management.

AIM: How do we ensure data is more secure on the cloud?

Nathan: The ephemeral, complex nature of cloud environments makes them difficult to secure. The lack of visibility into how many cloud resources are running often gives rise to misconfigurations, which are the most common form of vulnerability in those environments. Traditional network security measures such as firewalls are often less effective in the cloud as there is no perimeter to protect. Security solutions must be able to function at the scale and speed of the cloud, and they need to support both the developer and the security workflows during the entire software development lifecycle. 

In cloud environments, Infrastructure as Code (IaC) has become a powerful tool to automatically define the entire infrastructure that organisations will build their services on and, as such, IaC needs to be secure from the start. With IaC security tools that generate the code to remediate risks, developers can easily mitigate them before it is deployed. 

A developer-first approach allows organisations to address vulnerabilities without worrying about them at runtime and long before they are deployed out to thousands of endpoints. Fix the problem in one place, not 50,000 places. With the right cloud security posture management tools, organisations can better understand security risks and drive next-generation capabilities towards achieving advanced security threat modelling, breach path prediction and more. Most importantly, this approach makes security proactive, builds cyber resilience, and allows organisations the confidence to innovate in the cloud without worrying about security risks. 

AIM: Insecure cloud APIs pose a great challenge for Indian organisations. How do you deal with this?

Nathan: Cloud apps and APIs are a fertile entry point for attackers as they’re designed to be exposed to the internet and serve large user traffic. Modern cloud apps are often built with resiliency in mind but also suffer from insecurities, vulnerabilities and misconfigurations. Attackers often leverage insecure cloud APIs to expand their blast radius as it gets them access to the cloud network and reaches critical business databases.

Cloud apps and APIs also integrate with several third-party APIs for purposes like notification, monitoring, data aggregation, and security analytics. Often, these supply–chain components are built with code from open-source libraries that leads to cloud apps inheriting vulnerabilities from off-the-shelf software. 

Addressing security risks associated with APIs requires a strong partnership between development and security teams to ensure that there is an up-to-date inventory of all the APIs in use across the organisation. Since API security solutions are still coming to maturity, organisations need solutions that can offer automated API discovery capabilities and API scanning. But more importantly, it’s not enough to simply locate misconfiguration errors. 

They need to be remediated quickly to prevent breaches. This requires security tools that are explicitly designed to support both developer and security in order to avoid creating a bottleneck in the DevOps process. When security solutions offer a broader context of how APIs fit into the system, prioritising security efforts becomes easier. 

AIM: How do you tackle the risk posed by third parties?

Nathan: Supply chain attacks have become increasingly common in recent years, with SolarWinds being one of the largest to date. With these types of attacks increasing over the years, organisations need to focus on more preventative security approaches such as leveraging a formal exposure management programme framework to deal with risks, both before and after they are exploited. 

This is because securing a complex and dynamic attack surface with several third parties in the software supply chain depends on how well organisations understand all of the conditions that matter in their IT environments. Exposure management brings together technologies like vulnerability management, web application security, cloud security, identity security, attack path analysis and external attack surface management to give organisations a full picture of where the exposures lie, how those exposures could be leveraged to attack other areas of the organisation and where the most vulnerable business assets are within the environment. This type of visibility provides a more proactive view of how a potential third-party breach could affect the rest of your environment and give a better perspective on what can be done to secure those points along the attack chain.

AIM: What are some of the key challenges to cloud security posture management and how to address them?

Nathan: The SolarWinds attack gave us a glimpse into how insecure code or pipelines can have far-reaching outcomes. If an attacker were to compromise the CI/CD pipeline, then it would automate the process of delivering the malicious change made by the attacker into the code throughout the entire production environment. This is highly dangerous and mitigating misconfigurations at runtime is nearly impossible with legacy CSPM tools as they do not address security at the time when the code is written. 

Increasingly, identity and access management are emerging as an additional major challenge as applications become more complex and increase in number. The reality of complex cloud environments is that even mid-sized organisations have thousands, or tens of thousands, of roles. It’s impossible to manage them manually. This brings in security challenges because all it takes is one overly permissive role for cybercriminals to compromise and they can penetrate a cloud environment and move laterally to access critical information. Being able to manage identities and roles used to support these cloud-based applications and services relies on stronger process, automation and consistent configuration management throughout the entire deployment pipeline.

AIM: How does changing security posture help establish deterrence against cyberattacks?

Nathan: Organisations cannot outrun cybercriminals as they always find lucrative ways to leverage the easiest route to breach an organisation. This is why more mature organisations are embracing a stronger preventative approach to how they identify and manage risk within their environment, rather than relying on traditional reactive technologies to protect them. 

We know attacks will happen. We know that data breaches occur at incredible rates. Taking the older model of only building walls of defence and hoping for the best is simply not an effective approach when faced with the speed and scalability of how attacks are leveraged today. Instead, embracing a risk-centric approach to getting ahead of the problem as much as possible is the key to building a strategy that helps organisations make better decisions about where, when and how to mitigate risks so that their traditional walls of defence aren’t overwhelmed and can be more effective due to having to address fewer overall attacks. 

This preventative approach means leaning into more discovery and assessment technologies, incorporating threat intelligence and business context into the understanding of what risks are relevant to the organisation and feeding this into an effective, prioritised remediation plan which addresses the most likely areas of risk before attackers can take advantage of them. 

The focus on preventative processes may seem like what we’ve always been doing, but leaning on tools like firewalls and endpoint security alone has put us in a fully defensive position of security tools which only react and respond to an attack as it happens. The more we get ahead of these issues and eliminate the places where cybercriminals could potentially breach our environments ahead of time, the stronger and more secure our organisations will be.