Cloud Is Great - Until It Isn't - Ep. 119

In this episode we dive into the complex world of cloud security with Chris Hughes, Managing Cybersecurity Consultant, Oteemo. Cloud is great. For organizations in both the public sector and the enterprise, navigating the needed cloud acceleration the last year in the midst of mass remote work. It has created both significant opportunity and vast cloud security challenges.

We discuss how security practitioners should be thinking about moving forward their cloud security strategy for the new normal. The key considerations every security team must take into account such as managing workloads, the needs of the workforce and building for resiliency.

Additionally, we dive into themes such as reciprocity between key federal programs today. Including the Cybersecurity Maturity Model Certification (CMMC) and the Federal Risk and Authorization Management Program (FedRAMP). Aimed at improving the cybersecurity of contractors provided services and products.

Episode Table of Contents

  • [01:29] Cloud Security Today
  • [07:10] Cloud Is Great When You Get It Right Every Single Time
  • [13:54] It’s Tough in Cyber
  • [20:20] Cloud Is Great Where There’s Very Strong Focus on Security Compliance
  • About Our Guest

Cloud Security Today

Eric: We're talking Cloud with not only a hands-on practitioner but also a professor. Let’s welcome Chris Hughes from Oteemo, managing cybersecurity consultants today.

Eric: Just for our audience's sake, Chris got over 15 years of cybersecurity and IT experience. Starting in the US Air Force, you were civil servants working with the Navy, GSA, DHS, DISA. You've worked with commercial organizations in the financial industry. You're a professor at the University of Maryland Global Campus and Capitol Technology University for masters-level cybersecurity programs.

Eric: I don't know where you get all the time. Welcome to, To The Point. We're going to talk a little Cloud security today with Solargates, SolarWinds, UNC 2452, probably appropriate.

Rachael: Everything's about Cloud right now, too. This couldn't be more an apt or timely topic for us to be digging into. Chris, with your background, we're going to have a really fun discussion today.

Eric: You've got a ton of experience in the Cloud. I know more on the AWS side than the Microsoft side. To us, for the conversation, it's all the same. How do you secure the Cloud and let's just get to the point. Our Cloud service providers are really secure by default.

Chris: It's not necessarily a direct question. It depends on the services you're consuming. Some services are more mature than others, some are new. They've just been released by the Cloud service provider and get general availability for example. They haven't matured and they haven't had a lot of feedback from customers around configurations and default configurations.

Cloud Is Great With All the Technological Innovations Around

Chris: When you look at more of a mature service like S3, where we've seen a lot of public data exposure. For example, through public buckets, the Cloud service provider using AWS as an example, starts to implement the default secure configurations. It really just depends on the services that are being consumed.

Eric: What would you recommend? You have a new organization moving to the Cloud. COVID drove them that way, maybe their leadership is saying, "Hey, we need to continue with digital transformation or start it. How secure will we be?" What do you recommend to them? Where do they start?

Chris: It's definitely a key consideration. A lot of times I talk to folks who are moving to the Cloud. They've already moved or they're planning to move. They have a lot of plans around technological innovation, things of that nature. But security seems to be a missing piece of the puzzle often. At the same time, there’s another place I would recommend to start for sure. Right out the gate is going to be your workforce.

Chris: There's a lot of focus on, "What kind of technologies are we going to consume? How are we going to re-architect? But what about our workforce? What about the people that are going to actually be managing the workloads, managing the configurations. People that have the potential to leave insecure configurations in place that can make us vulnerable?"

Chris: The workforce I definitely would say is a major consideration right out the gate. As well as partnering of course with consultants, advisors, etc. who've actually done the work. They have the credentials that need to show that.

Starting With the Industry Benchmarks

Chris: I'd recommend starting with the industry benchmarks, but using CIS, Center for Internet Security, as an example. There's CIS benchmarks for both Azure and AWS and GCP. Start with those. You want to see, "What foundational security best practices we should have in place as we move into this new environment."

Eric: When you talk to customers and you say, "Hey, you need to really think about your workforce." Especially on the government side, where the workforce is a little more static. There's not as much transition necessarily.

Eric: How do you work with a workforce that has been doing things the way they've been doing so long? Now it's like, "Hey, Cloud time, let's go." What do you recommend there?

Chris: This is a problem I've seen at the Navy, when Cloud was first introduced to me. Then also at GSA when I spent some time at GSA. Just my time in the federal government in general at different agencies, in the DOD and in the civilian side. The government has a notorious history of workforce challenges around cyber and technology.

Chris: Whether it's an aging workforce, that's getting ready to retire, they're not up-to-date with modern technologies that are being consumed and utilized. You have struggles to match private sector, industry compensation and things like that.

Chris: All these issues pose challenges. The government has a lot of issues around hiring timelines, for example. That's a major issue in terms of attracting and retaining talent. In terms of the workforce, here’s what I definitely recommend that they need to take a look at. "What technologies or platforms are we going to be using? How can we upscale our workforce to prepare them accordingly?"

Exposure to the Cloud Is Great

Chris: The good thing is, a lot of this knowledge has been democratized via Udemy, A Cloud Guru, Linux Academy, Pluralsigh. There are still many training providers that you can just access, whether it's a subscription-based model or reimbursing your employees if they sign up for exams and courses, for example.

Chris: Another great organization is SANS. Many people are familiar with sans. I have taken several SANS certifications over the years. SANS has increasingly been putting out free events and free conferences around class security as well. Just looking for options and having a training plan. It needs to be a solidified training plan for your workforce.

Chris: They're familiar with the technologies you're going to be using. It's no surprise that the number one cause of data leak and exposure in the Cloud is mis-configuration by the customer. Who do you think is making those configurations? It's your workforce. Your workforce needs to be empowered and trained appropriately to handle the technologies you're going to be using.

Eric: We just saw a wall street journal report come out over the weekend, the end of January here. Brandon Wales, the acting director of CISA DHS said, "Approximately 30% of both private sector and government victims linked to the Sunburst campaign. They had no direct connection to SolarWinds."

Eric: I read that they didn't even own SolarWinds when they were breached. The article continues with, "A lot of the hackers took advantage of known Microsoft configuration issues." It's not saying it's bad.

Rachael: Just a lot of weigh-ins. There are just so many ways in. The favorite thing you like to hear is that attackers only have to get it right once.

Cloud Is Great When You Get It Right Every Single Time

Rachael: But we have to get it right every single time. That's really tough when the deck surface is pretty much as broad as your imagination.

Eric: Chris, what do you do? How do you guide somebody to ensure that configuration mistakes aren't made?

Chris: That goes back to leveraging those industry benchmarks. CIS benchmark for commercial space or in agencies for example, but also on the DOD side. Using things such as STIGs or if there's no STIG in existence, an SRG. It’s a security requirements guide for a suite of technology basically and trying to align with those best practices.

Chris: It's worth emphasizing, the attackers only need to get it right one time. Then when you look at the scope of what's occurring with the nation state attacks, for example, the resources. The manpower they have behind them, getting it right one time is almost a foregone conclusion. It's kind of a shift from trying to prevent every possible breach and scenario that can possibly happen. And shifting to a mindset of resiliency.

Chris: We know something's going to happen, we know something may have already happened, we just aren't aware of it yet. How do we recover and how do we build resilience systems that cannot put us in a situation. Where one breach is totally catastrophic through our entire organization, basically.

Eric: It's interesting in the article Dmitri Alperovitch, who was on the show back during the holidays actually in 2020. Talked about, "There lots of different ways into the Cloud. So many companies have moved to the office, Microsoft 365 Cloud in recent years. It is now one of the top targets."

Cloud Is Great Target for Ransomware

Eric: With the Cloud, we're centralizing what we do, which is great for our economies of scale and cost-effectiveness. But I almost feel like the adversaries now have one set of technologies to really learn and understand. A golden location, if you will, in some cases to go. We're not just picking on Microsoft, Amazon, or picking any of your Cloud vendors. They're just consolidation. Consolidation drives that standardization too.

Rachael: I don't know if you saw recently, the Cloud became a really ample target for ransomware. They're starting to shift more of the tax surface there. When you look at ransomware and how complicated it is, then all the other pieces that come to pay. Do you not pay? If I pay, I get fined. It's becoming very challenging how you navigate the path forward. There are landmines everywhere. Can we get past it?

Chris: It’s like a double-edged sword in the sense that, on one side, maybe we're consolidating things in terms of centralizing the technologies we're using. But it goes both ways. Say you're centralizing and you're consolidating. It allows your staff to focus on this group of technology that we're using. To really implement best practices and secure hardened configurations.

Chris: On the other side of the coin, say we have a multiple scenario where we're using multiple providers and technologies, which is very common. Have very complex systems and they fail in complex ways. It leaves a lot of a digital footprint for your staff to try to cover in terms of sharing.

Eric: They don't know it as well either. Because they have to know five different types of the same technology.

Covering Broad Scope of Technologies

Chris: Couple that with the workforce challenges that not only the federal government is having, but the private sector is having as well. Having the workforce to cover this broad scope of technologies is incredibly challenging. Then not only that, there's a whole other vector in terms of third party risk. You're leveraging all of these different SaaS offerings and partners and things of that nature. Then it just spirals out of control very quickly.

Rachael: Cloud's not easy. If you want to be, let's say a class career engineer or setting this up, you really have to have talent. It takes creativity and it's not a one size fits all. It's also compounding that challenge. I saw an article where you talked about what it takes to be a Cloud security engineer in 2020. It doesn't seem like it's a super easy answer. The technology is also changing and evolving, just as the attackers are.

Chris: I hold AWS certifications, I hold the Azure security certification. I feel like I know absolutely next to nothing about these services still because they're just changing so rapidly. AWS, for example, has I think over 200 services. It's almost next to impossible to keep up with sometimes. But that's part of the characteristics of individuals coming to this field.

Chris: You need to have that ongoing thirst for learning and knowledge. It's going to be a situation where you're always learning, you're always growing. You're always accumulating new knowledge around technologies that your customers and your organizations are using. Just being committed to that process.

Eric: When you say the education piece is important, as a professor here, what you need is that desire to learn. To continually improve.

Cloud Is Great but Technology Is Always Changing

Eric: You can't just go to a course and get the checkbox or get the certificate. Say, "I'm good." You've got to continually invest because the space is moving so quickly.

Chris: There was actually a post about that recently that generated a lot of discussion. It was like, "Six weeks to become a cybersecurity expert." These kinds of things just give false impressions of the career field. It's incredibly complex, it's always changing.

Chris: There are fundamental tenets and principles that stay the same for a long time, but the technology is always changing. You definitely need to have that mindset of always learning, always growing. Always being hungry to keep up with things.

Eric: When you're teaching cybersecurity programs to your students, what are you teaching them? Are you teaching them the latest and greatest concepts or are you teaching more on the general components? So that they can have a framework to work from as technology evolves underneath them.

Chris: It's a bit of both. In the foundational courses, we're taking on fundamental tenets and principles that tend to stay the same regardless of technology. Then in more advanced courses, part of the process is preparing them to go out in the career field.

Chris: Find desirable employment opportunities or advance their existing career, if they're already in the career field. They definitely want to work with emerging and current technologies that companies are using. It's a bit of both.

Eric: I feel so outdated, I have no time to continue my education ever. I don't know. Do you ever find yourself there?

It’s Tough in Cyber

Rachael: I just got a master's degree a couple of years ago. You have to find the time my friend and the only thing you can control is sleep.

Eric: My last Master's degree was before you were born in 2002. I'm about 20 years behind on the education side. It's tough in cyber. You can read as much as you want. There's just not enough time.

Chris: Despite being a professor at two different universities, we're seeing a democratization of education too. I have two master's degrees, but degrees are definitely not the end all be all. We have some people who are incredibly competent and capable with these technologies. Who have learned through alternative pathways such as online learning, training platforms.

Chris: Hands-on experience, based on the situations they find themselves in. When we look at the workforce, we need to look at that from the perspective of allowing non-traditional candidates into the career field as well.

Eric: I want to switch it up a little here. FedRAMP CMMC, we spent a little time before the show today talking about that. I know you're writing a white paper on it. You're very passionate about it. What are your thoughts? How do they interrelate?

Chris: They definitely interrelated. There are Cloud service providers like AWS and Azure, who are preparing CMMC specific service offerings for DIB vendors. They are Defense Industrial Base vendors who are supporting DOD. A lot of these organizations are SMBs Small Mid-sized Businesses that don't have extensive IT and cyber expertise in-house.

Chris: They’re leveraging these as a service offering from Cloud service providers and in support of their work with the DOD. As part of that, those services need to be authorized.

Where the Intersection Come Into Play

Chris: They need to be secured and they need to be compliant. That's where the intersection of FedRAMP, for example, and CMMC come into play.

Eric: I imagine there are a lot that don't even have IT personnel. Everything's outsourced.

Chris: There were some comments from Katie Arrington on the DOD side recently around reciprocity between fedRAMP and CMMC. I think it’s a great idea. A lot of the issue is getting this technological innovation into the hands of the folks doing the work.

Chris: Sometimes these compliance frameworks make that a challenge. In terms of timeline and cost and investment, things of that nature. But at the same time, there's not necessarily a parallel between fedRAMP and CMMC. CMMC doesn't allow, POAMs, which is, open findings that need to be addressed at a later date essentially where fedRAMP allows for that.

Chris: How do you have reciprocity when one allows for a POAM. Something to be addressed later on but lets you move forward. Where the other is you're either 100% compliant or you're not. That's going to be the real challenge in my opinion.

Eric: We need to get Katie back on the show. I call her a firebox, I love the energy and the passion for the mission. There are 300,000 DIB vendors out there that are going to be impacted by CMMC. Hopefully, in a good way for the country.

Chris: 100%. Her energy has been contagious since she's brought into that position. For better or worse, it's gotten her good attention and bad attention, of course. But it's definitely been a breath of fresh air for the overall perspective of things. It's a huge challenge around that 300,000 vendor organization that we need to work with.

Cloud Is Great but the Old Self Attestation Model Doesn’t Cut It

Chris: But at the same time, we've all realized that the old self-attestation model simply doesn't cut it when it comes to defense and national security. We need to have some kind of third-party evaluation and attestation to whether you're actually meeting these practices and policies.

Eric: It's like my kid, he's not going to do his homework unless they're inspecting or I inspect.

Chris: They're going to tell you, "Yes, we did it." But you need to go verify, as they say.

Eric: That's what we're living through in the Trexler household with COVID right now.

Rachael: When we look at the public sector, private sector, talent shortages and this whole new world that we find ourselves in. You started in government, basically with the Air Force and then working maybe civilian. It seems like there are so many great opportunities there for cybersecurity specialists to go. Now with this whole remote work thing happening and the government embracing it more.

Rachael: I know we talked to Chris Krebs and CISA, you're really doing more with remote work. Do you see that bringing more opportunities for folks to come and support the public sector and bring that talent there? From the talent you're seeing in these master's programs, how's it looking?

Chris: You're spot on. This stuff that I speak about, I talked about in the white paper, I'm going to be working with pretty soon here. Another issue of course, is the workforce. This remote work paradigm opens up a ton of opportunity for the public sector. In terms of kind of filling the gaps that they have around the workforce.

A Potential Cost Savings Aspect

Chris: One, you have expanded your talent pool. Just use, say DC, as an example, you've expanded from DC to nationwide. Now you have access to a nation for counted individuals who were passionate and interested in the career field. Also, there's a potential cost savings aspect to that if I'm paying an individual at a certain pay grade.

Chris: A locality that has a high cost of living, versus an individual, they want to live somewhere else. It's not quite as expensive, there's a cost-saving aspect to that as well. Of course there's the part of the conversation around, how do we secure that remote workforce. The connectivity to data they're going to be accessing, the work they're going to be performing.

Chris: How do we also ensure that it's secure as well? It's definitely an interesting dichotomy that we need to work with. But in my opinion, it's definitely going to open up the talent pool. Open up new opportunities for people to serve and it's going to be a great thing overall.

Eric: As we look at the diversified workforce out there, I'm assuming you got a great education from the military. Do you see the military as one of the large educators of the American population as it relates to cybersecurity these days?

Chris: I think so. Of course, the military makes up a subset of the people in the nation. Only a small set of people actually serve. If you look at the cybersecurity community, it's actually surprising the number of veterans that are in this community. I don't have a number off hand, but someone recently shared the fortune 500. X number are veterans, for example, CSOs within fortune 500.

Cloud Is Great Where There’s Very Strong Focus on Security Compliance

Chris: A natural large representation of veterans. It's because you're coming out of this industry where there's a very strong focus on security compliance. Security rigor that, it's just not always necessarily there in the private sector. Versus a regulated industry like DOD that takes it very seriously. You have a lot of talented, exceptionally disciplined and passionate individuals coming out of the veteran community.

Eric: A lot of times they don't stay there for their entire 20 or 30-year career. Because of the lucrative opportunities, the flexibility and many other things, they can get into the commercial workforce.

Chris: You're almost certainly going to make more money in the private sector than the public sector. Also, some of them have been doing this for a long time. They've been around the military defense, civilian agencies for a long time. They want to venture out and see what the private sector has to offer. Then there's also kind of that synergistic relationship.

Chris: Where governments are looking to learn from commercial best practices. If you have an individual that goes out and does great work in the private sector. Learn some great things, they can also come back down the road. Maybe, bring those things back to the government as well.

Eric: If you could fix one thing in commercial Cloud security, what would it be?

Chris: It's honestly not even a technical issue. It'd be helping customers understand the shared responsibility model. Based on the services they're consuming, what are their responsibilities? How is their workforce prepared to meet those responsibilities?

Both Sides Have a Responsibility in This Relationship

Eric: Amazon has a technical white paper guidance doc. Page 42 was their shared responsibility model explaining it. I know the page number because I can't tell you how many customers we've talked to about it. Both sides have a responsibility in this relationship. I love that answer, Chris. Not right or wrong, but I think it's a very good one.

Chris: Definitely there are a million answers you could have got. With that said, I understand where we are in this model. The overarching majority of breaches in the Cloud are occurring in the customer side of that shared responsibility model. How can we as an organization lean into that model? Maximize what the cost service providers are offering, while still making sure our workforce is prepared to meet that gap.

Eric: Meaning their configuration items or the customer hasn't protected data or personnel or something, passwords, whatever it may be. They haven't done their side of that responsibility model.

Chris: That's where the majority of data breaches are occurring. If we have a workforce challenge, we need to lean into that model. Let those who are best at it, do it while we can do our core competencies.

Eric: I see the CSPs as being very competent at what they do. It's their business. As we said when I was at salesforce.com, if the customer doesn't trust us, if we don't protect them, they won't work with us. We'll lose that customer. That's our business. I see the same thing with all the CSPs.

Smash the Subscribe Button

Eric: Chris Hughes, thank you so much for your time. Listeners out there, please subscribe, smash that subscribe button, give us feedback and comments.

Rachael: Thanks and great talking to you, Chris. This is just a fascinating conversation and topic. There's no bottom to what we can cover here.

Chris: It's a very interesting space. It's moving very quickly, but it warrants a lot of attention and discussion. I'm happy to be here and I really appreciate the opportunity.

Eric: Thank you very much. To our listeners, thank you. We will see you next week on To The Point Cybersecurity.

About Our Guest

As a managing cybersecurity consultant at Oteemo, Chris Hughes brings nearly 15 years of IT/Cybersecurity experience. This ranges from active duty time with the U.S. Air Force. A Civil Servant with the U.S. Navy and General Services Administration (GSA) as well as time as a consultant in the private sector. In addition, he’s also an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University. Also in University of Maryland Global Campus.

Chris participates in industry Working Groups such as the Cloud Security Alliances Incident Response Working Group. He holds various industry certifications such as the CISSP/CCSP from ISC2. With over 8 certifications from leading Cloud Service Providers such as AWS. He regularly consults with IT and Cybersecurity leaders from various industries. To assist their organizations with their Cloud migration journeys while keeping Security a core component of that transformation.