As a result of the world’s increasing reliance on digital systems and the internet, businesses face constant cyber threats that compromise sensitive data and create significant risk. Nathan Wenzler, Chief Security Strategist at Tenable, brings more than 20 years of public and private sector experience to the task of helping executives and security professionals develop robust security strategies, understand their cyber risks, and improve their security posture.
In this exclusive interview with AIM, Wenzler discusses critical topics in cloud security, including dealing with threats from APIs, third parties, and the challenges of cloud security posture management.
AIM: How can businesses ensure that data is more secure in the cloud?
Nathan: The dynamic and complex nature of cloud environments can make securing them difficult. Traditional network security measures, like firewalls, are often less effective in cloud environments due to the lack of a defined perimeter. Security solutions must function at the scale and speed of the cloud, and they need to support both developer and security workflows throughout the software development lifecycle.
In cloud environments, Infrastructure as Code (IaC) has emerged as a powerful tool for automatically defining the infrastructure on which organizations build their services. Ensuring IaC is secure from the outset is critical, and using IaC security tools that generate remediation code allows developers to mitigate risks before deployment.
A developer-first approach, coupled with the right cloud security posture management tools, can help organizations better understand and address security risks, enabling them to innovate confidently without worrying about security vulnerabilities.
AIM: How can organizations deal with the challenges posed by insecure cloud APIs?
Nathan: Cloud apps and APIs are particularly vulnerable to attacks, as they are designed to be exposed to the internet and serve large user traffic. Attackers can exploit insecure cloud APIs to gain access to cloud networks and critical business databases. These APIs often integrate with third-party APIs for purposes like notifications, monitoring, and data aggregation, which can create additional security risks.
To address these risks, organizations need a strong partnership between development and security teams, as well as security solutions that offer automated API discovery capabilities and API scanning. Rapid remediation of misconfiguration errors is also essential to prevent breaches, which requires security tools designed to support both developers and security teams in avoiding bottlenecks in the DevOps process.
AIM: What strategies can help organizations tackle the risks posed by third parties?
Nathan: Supply chain attacks have become increasingly common in recent years, making preventative security approaches crucial for organizations. A formal exposure management program can help businesses deal with risks before and after exploitation. This approach encompasses technologies like vulnerability management, web application security, cloud security, identity security, attack path analysis, and external attack surface management to provide a comprehensive view of potential exposures and vulnerabilities.
By understanding the full extent of their attack surfaces, organizations can develop more proactive strategies for securing their environments and minimizing the impact of third-party breaches.
AIM: What are the key challenges of cloud security posture management, and how can organizations address them?
Nathan: The SolarWinds attack highlighted the dangers of insecure code or pipelines. If an attacker compromises the CI/CD pipeline, the malicious changes can be automatically deployed throughout the entire production environment. Traditional CSPM tools struggle to mitigate such misconfigurations at runtime, as they do not address security when code is written.
Identity and access management have also emerged as significant challenges as cloud environments become more complex. Organizations need strong processes, automation, and consistent configuration management throughout the deployment pipeline to manage the thousands of roles and identities supporting cloud-based applications and services.
AIM: How can changing security posture help establish deterrence against cyberattacks?
Nathan: Outrunning cybercriminals is not a viable strategy, as they continually find new ways to exploit vulnerabilities and breach organizations. More mature organizations are embracing a preventative approach to risk identification and management, rather than relying solely on traditional reactive security measures.
It is essential to accept that attacks will happen and data breaches will occur. Relying on older methods of simply building walls of defense and hoping for the best is not effective given the speed and scalability of modern attacks. Instead, adopting a risk-centric approach to proactively address problems can help organizations make better decisions about where, when, and how to mitigate risks so that traditional defenses can be more effective.
A preventative approach involves utilizing discovery and assessment technologies, incorporating threat intelligence and business context into risk evaluations, and creating prioritized remediation plans that address the most likely areas of risk before attackers can exploit them.
While this may seem like a continuation of past practices, relying solely on tools like firewalls and endpoint security has put organizations in a purely defensive position. By proactively addressing and eliminating potential breach points before cybercriminals can exploit them, organizations can significantly strengthen their security posture and protect sensitive data.