One step ahead — Cloudsec is leading security innovation, but companies need more innovators

Just Eat’s cloudsec chief Stu Hirst says we need to acknowledge the innovators at the frontline of cyber security

If the past decade in enterprise IT was owned by cloud, then the next ten years will arguably be defined by our attempt to secure it.

The degree to which cloud has absorbed applications and data is well-documented. While companies are consolidating with hybrid deployments, according to some estimates, 91 percent of organisations have moved some portion of their workloads to the cloud.

As this new territory grows, so too does its attack surface. Organisations need to be armed and ready, yet many are getting into sloppy habits, particularly when it comes to basic data storage practices. Between June 2018 and May 2019 over 2.3 billion files were found on misconfigured or non-secured cloud storage technologies. As cyber security company Forcepoint has framed it, as more companies become “cloud smart,” a large number appear to remain “cloud dumb,” at least when it comes to security.

The oversight is partly because we naturally focus on the ways a new tool can make our lives easier without first considering its side-effects. True, it’s not only a matter of failing to get the basics right. Like with any new technology, it has taken time for us to grasp the multitude of ways that the cloud can leave companies exposed. Compounding this problem is the pace at which cyber hackers conjure up new means of attack.

How can cloud security professionals stay ahead of the game? For Stu Hirst, principal cloud security engineer at Just Eat, it’s about admitting that it’s fine to not immediately know all of the dangers and the ways they can be curbed. One of the main lessons he has learned in his nine years as a cyber security professional is that it’s “perfectly OK to not know the answer at a point in time.” To stay ahead, Hirst says he is constantly researching the latest cloud security developments and workshopping solutions to problems.

Playing catchup

It’s not surprising that cloud security pros are playing catchup. IT security has always been a cat and mouse process. But it nevertheless took a while for some companies to appreciate how traditional security responsibilities would be shaken up when cloud arrived on the scene.

As spelt out in the oft-recited “shared security model”, cloud providers are responsible for protecting infrastructure, while the end-user is responsible for securing data, monitoring access and vulnerabilities, managing configurations, and observing anomalous user, host and network behaviours. Stu notes some organisations can’t quite seem to shake off the misnomers that cloud “either is by default insecure or is by default secure”. The truth is that the cloud is as secure as companies make it.

Then there’s the exceptional pace at which the cloud moves. At the start of the decade, the cloud was viewed as a cheaper data centre. Now with AI, containers and microservices, it’s regarded as business’s principal engine of innovation. For the cloud security professional it is therefore “difficult to feel adequately up to speed,” says Stu. Life as a cloudsec pro “is a continual learning curve and exploration of new tech.”

There’s also a people problem. Even though it’s now 14 years since AWS launched its all-conquering cloud, cloud security is still a rather niche industry skill and finding the right expertise is far from straightforward. Broadly speaking, cloud environments have different processes around monitoring, identity, configuration and encryption. “This continues to present recruitment challenges,” says Stu.

Finding the solution

Before joining the cloud security team at one of the world’s largest online food order and delivery services, Stu had stints at The Trainline, Capital One UK and Photobox. At this year’s Cloud & Cyber Security Expo Stu will draw on his expertise and past experiences to discuss 2019’s biggest data breaches and the lessons companies can learn from them.

Automation is one weapon his team are deploying more frequently. Thanks to the speed and power of today’s cloud, security automation is a far simpler proposition than it was five years ago. With automation, Stu’s team can auto-remediate processes and receive alerts in real-time in the event of system changes. While automation “is paramount to maturing your security posture,” Stu says “it’s not a silver bullet for absolutely every aspect of cloud security.” Knowing the difference is key.

Diving into automation has forced Stu’s security team to brush up on engineering and collaborate with the company’s devs. Together, they think of creative ways to use automation to bolster their cyber defences. “We are almost wholly techies and engineers at heart,” he says. “We work very closely with our colleagues in development teams to assist them and really understand their world. We are not siloed teams who rarely engage!”

In an age where employees can start connecting their browsers to any number of apps, it’s increasingly challenging for security teams to possess a panoptic view of their organisation’s cloud activity. It’s nevertheless vital they understand the cloud environment as best they can: the accounts owned, where data is located, applications running in the environment and the range of stakeholders accountable. “Without this, it’s difficult to know who to work with to make change,” says Stu, adding that his team have built a number of tools which provide real-time views into Just Eat’s cloud environments.

Another big change Stu effected when he joined Just Eat was establishing a company-aligned “solid risk framework” based on existing industry principles. While Stu has talked publicly about how he benefited from the Centre for Internet Security (CIS) benchmarking, he notes that there are several standards that can be leveraged from the likes of NIST and the Cloud Security Alliance. Rely on tried and tested principles he advises, as “fundamentally you don’t need to build [a framework] from scratch.”

Cloud-first, security first-rate

The cloud may be an uncertain frontier for many organisations but it is also home to the most innovative security professionals in the game, pros who simply have no choice but to defend creatively in the face of mounting and evolving cyber threats. For Stu, it’s time to acknowledge that “cloud-first organisations, with their pace and agility, are at the forefront of the security industry” — it is these innovators that will determine security success in the decade ahead.