Security Knowledge

From the trenches: 4 cloud security lessons from Aon’s Chief Security Officer Anthony Belfiore

Cloud has driven innovation and agility for organizations, but for security teams it has also brought new levels of complexity around people, processes, and technology. Today’s elastic cloud environments have introduced new risks that security must develop approaches to address. Recently, CxO hosted a webinar and security executive roundtable titled “Take Control of your Cloud Infrastructure Security.” Security executives from across the world gathered to discuss their approaches to cloud security. Anthony Belfiore, Chief Security Officer at Aon, shared his approach to cloud infrastructure security and how he uses Wiz. Here are some of the key takeaways from the discussion and the insights that Anthony shared.

#1: Complexity drives challenges around maintaining a strong cloud security posture

A common theme echoed throughout the discussion and Anthony’s experiences was one of complexity. Cloud environments are ever-increasing in their complexity, with new technologies and architectures rolled out continuously by a wide range of teams and owners, including third-party vendors. As a result, risks in the cloud are growing more complex every day. Security teams are stretched thin trying to get visibility into what’s out there and who owns what, and can’t afford to add more complexity to the mix themselves with complicated tools or agent-based deployments. This holds true when migrating from on-prem to the cloud, or dealing with multiple cloud environments.  

“We were running a heavy on-prem, proprietary, legacy application environment and wanted to leverage cloud... One thing we realized very quickly, when you try to port legacy on-prem apps to the cloud: they don’t port very well... When you port these things, sometimes things are lost in translation. Certain controls are dropped. Certain configurations don’t map effectively. For me, how could I get a level of comfort and assurance that [these apps] are operating in the cloud according to the security requirements and criteria we defined?” -- Anthony Belfiore

Whether dealing with migration, compliance requirements, or keeping up with the pace of internal innovation, cloud security posture is becoming more and more challenging. CISOs are looking for ways to simplify their security and get the visibility into diverse and dynamic cloud environments wherever possible.

“Wiz deployed in 10-15 minutes across three clouds for a POC... 8 minutes after that, we got a full intuitive picture with contextualized view on a graph...We never had a tool deploy that quickly. It just ingests the APIs it needs to...It doesn’t impact the availability or stability of your infrastructure. Wiz sucks all the data in from your cloud and spits out a full picture of cloud environment with holes and vulnerabilities in minutes. It's intuitively obvious to even the most junior engineers on the team." -- Anthony Belfiore

#2: Having a cloud validation capability is important

Zero trust should apply to everything in security, including your own architecture. This means security teams need to be able to validate their cloud environment holistically across platforms, technologies, and layers of risk. Security teams can’t blindly trust 3rd party providers, or even their own topology diagrams. They must be able to validate and verify what’s actually happening in production.  

“We were trusting Amazon and Azure implicitly, but it was a mistake. You’ve got to trust but validate; got to verify that everything is working in those clouds as it’s meant to. Whether dragging and dropping, or retrofitting legacy stuff, or building natively in cloud, you need a validation capability. Wiz, for AON, has been that validation capability.” -- Anthony Belfiore

#3: Security teams need to spend their time on the most pressing issues

Security teams are outnumbered by DevOps dozens to one, and often face tens of thousands of alerts across their environment. They can’t afford to spend time on low priority alerts, or on chasing their DevOps partners to fix issues that have a low impact. They need to find ways to accurately prioritize issues, and should have a bias towards tools that bring quick time to value and enhanced security ROI.

“I have a finite amount of budget cycles and time. I have to allocate them to the most pressing issues... I’ve been doing security for 24 years, and I’ve never had a security tool deploy faster than Wiz, let alone return value. The mean time to value was under a half hour. It blew my guys away. When the engineering team came back with the readout, we thought they were lying to us. The results seemed impossible. I was jealous of what Wiz could do. It was insane.” -- Anthony Belfiore

Beyond time to value and security ROI, with limited security personnel and resources, cloud security teams are looking for ways to empower other security team members and DevOps partners. The more collaborative and accessible that you can make your security investigations and remediation, the more your team can handle.

“One thing that’s been refreshing about Wiz is that because of the way it displays the data, even a security engineer or a DevOps user that doesn’t have the experience to understand what they’re looking at in the cloud can get the gist of what Wiz shows and the way it makes everything more palatable and intuitive. I’ve never seen a tool that takes something so complex and spits it out so simply and is basically like ‘apply fix here, look here, go here, do this.’ This is really the value proposition. Not everyone is going to have superstar cloud architects with all these certifications on the team, so it really helps having that level of color when you’re trying to address these types of issues.” -- Anthony Belfiore

#4: Agentless tools are the wave of the future

With the interconnectedness and complexity of cloud environments, security approaches that impact the environment are becoming increasingly untenable. Getting proper coverage with agents is difficult already, let alone the added costs in terms of complexity and resource utilization. There was general agreement among the CISOs on the discussion that less is more when it comes to security agents.  

Authenticated scanning tools can be too intrusive and lead to negative impacts on cloud infrastructure as well. The right approach is one that is unobtrusive and has no impact on the cloud environment.  

“You don’t need authenticated scans in the cloud with a tool like Wiz. What that means is, the way we used to do things on-prem with...any of these scanning VM platforms, that goes the way of the dodo. That’s one of the benefits of Wiz. Wiz is unobtrusive. It doesn’t have to interact with your assets on the port and protocol level, so you don’t have the potential for an issue...That’s the beauty with Wiz; it’s totally out of line, non-invasive, non-interrogating, and doesn’t impact the assets around it. It just sucks in the data it sees based on the native cloud APIs and operational data.”  --Anthony Belfiore

See the discussion for yourself

When it comes to the cloud, figuring out ways to tackle the most critical issues as a security team is a never-ending challenge. Increasing complexity, a need for more visibility and validation, and ruthless prioritization are all key areas of focus for security teams across companies of all sizes. The round table and stories from Anthony all served as good reminders of these facts. You can watch Anthony share his learnings and experiences yourself here.  

Subscribe
Get the latest cloud infrastructure security news in your inbox
You're subscribed!
By signing up you agree to our Privacy Policy