One step ahead – Cloudsec is leading security innovation, but companies need more innovators – Techerati

As spelt out in the oft-recited “shared security model”, cloud providers are responsible for protecting infrastructure, while the end-user is responsible for securing data, monitoring access and vulnerabilities, managing configurations, and observing anomalous user, host and network behaviours. Stu notes some organisations can’t quite seem to shake off the misnomers that cloud “either is by default insecure or is by default secure”. The truth is that the cloud is as secure as companies make it.

Then there’s the exceptional pace at which the cloud moves. At the start of the decade, the cloud was viewed as a cheaper data centre. Now with AI, containers and microservices, it’s regarded as business’s principal engine of innovation. For the cloud security professional it is therefore “difficult to feel adequately up to speed,” says Stu. Life as a cloudsec pro “is a continual learning curve and exploration of new tech.”

There’s also a people problem. Even though it’s now 14 years since AWS launched its all-conquering cloud, cloud security is still a rather niche industry skill and finding the right expertise is far from straightforward. Broadly speaking, cloud environments have different processes around monitoring, identity, configuration and encryption. “This continues to present recruitment challenges,” says Stu.

Finding the solution

Before joining the cloud security team at one of the world’s largest online food order and delivery services, Stu had stints at The Trainline, Capital One UK and Photobox. At this year’s Cloud & Cyber Security Expo Stu will draw on his expertise and past experiences to discuss 2019’s biggest data breaches and the lessons companies can learn from them.

Automation is one weapon his team are deploying more frequently. Thanks to the speed and power of today’s cloud, security automation is a far simpler proposition than it was five years ago. With automation, Stu’s team can auto-remediate processes and receive alerts in real-time in the event of system changes. While automation “is paramount to maturing your security posture,” Stu says “it’s not a silver bullet for absolutely every aspect of cloud security.” Knowing the difference is key.

Diving into automation has forced Stu’s security team to brush up on engineering and collaborate with the company’s devs. Together, they think of creative ways to use automation to bolster their cyber defences. “We are almost wholly techies and engineers at heart,” he says. “We work very closely with our colleagues in development teams to assist them and really understand their world. We are not siloed teams who rarely engage!”

In an age where employees can start connecting their browsers to any number of apps, it’s increasingly challenging for security teams to possess a panoptic view of their organisation’s cloud activity. It’s nevertheless vital they understand the cloud environment as best they can: the accounts owned, where data is located, applications running in the environment and the range of stakeholders accountable. “Without this, it’s difficult to know who to work with to make change,” says Stu, adding that his team have built a number of tools which provide real-time views into Just Eat’s cloud environments.

Another big change Stu effected when he joined Just Eat was establishing a company-aligned “solid risk framework” based on existing industry principles. While Stu has talked publicly about how he benefited from the Centre for Internet Security (CIS) benchmarking, he notes that there are several standards that can be leveraged from the likes of NIST and the Cloud Security Alliance. Rely on tried and tested principles he advises, as “fundamentally you don’t need to build [a framework] from scratch.”

Cloud-first, security first-rate

The cloud may be an uncertain frontier for many organisations but it is also home to the most innovative security professionals in the game, pros who simply have no choice but to defend creatively in the face of mounting and evolving cyber threats. For Stu, it’s time to acknowledge that “cloud-first organisations, with their pace and agility, are at the forefront of the security industry” — it is these innovators that will determine security success in the decade ahead.