In this insightful interview, INFOSECHUB’s editorial team spoke with Oleg Fainitskii, CCSP, CISSP, Ph.D., OCI Architect, and Oracle Partner Center of Excellence trainer & speaker from MUK Group. We delved into the intricacies of cloud cybersecurity, exploring the unique challenges, evolving threat landscapes, and the importance of adopting a Zero Trust mindset. Oleg shed light on a variety of topics, from the impact of regulatory compliance on cloud migration to the significance of the human factor in cloud security. He provided practical advice on adapting to serverless architectures and offered an expert’s perspective on the future of cloud-native security technologies. Additionally, he discussed the latest trends in Identity and Access Management (IAM) and shared insights into the role of AI and ML in enhancing cloud security. With his depth of knowledge and expertise, Oleg provided valuable recommendations for cybersecurity professionals operating in the cloud environment, focusing on the necessary skills and strategies to navigate this ever-evolving landscape.

1. What unique cybersecurity challenges arise during the migration of critical systems to the cloud?

Often, customers express concerns about migrating to the cloud due to potential issues with regulatory compliance and a perceived loss of control over the infrastructure. The extent of these concerns varies significantly from one country to another, but in recent years there has been an increase in regulations pertaining to data center location within a given country, known as “data sovereignty.” Cloud providers are striving to keep up. We see this reflected in the proliferation of data centers worldwide from leading providers, as well as offers for the physical placement of equipment in a customer’s data center or the creation of specialized clouds for specific customer types. A recent example of this is Oracle’s EU Sovereign Cloud, a part of Oracle Cloud Infrastructure (OCI), which is designed to meet EU regulatory requirements and is isolated from public commercial regions. However, despite these efforts, it appears that regulators are still leading the race.

2. How do compliance requirements change when transitioning from on-premise security to cloud-based security, particularly for critical sectors?

This largely depends on the specific country. Ultimately, the responsibility for data safety falls on the data owner, that is, the customer. Cloud providers secure data at their level according to the shared responsibility model, referred to as “Security of The Cloud,” and provide customers with the necessary security controls to ensure compliance, known as “Security In The Cloud.” However, it is often the case that having the cloud provider’s data center itself certified for compliance with certain regulatory requirements (such as PCI DSS) can greatly simplify things for the customer, and this is an important factor to keep in mind.

3. How should encryption strategies evolve to deal with cloud-based and multi-cloud systems?

Traditionally, data has been encrypted both at rest and in transit. With the advent and adoption of cloud technologies, there has been an emerging need to encrypt data in use. This has become possible with the development of confidential computing technologies, which provide encryption and isolation of data at the processor level. A good example is the AMD EPYC processors, equipped with AMD Secure Encrypted Virtualization (SEV) technologies for the protection of virtual machines, and AMD Transparent Secure Memory Encryption (TSME) for the safeguarding of Bare Metal instances.

4. How is the dynamic nature of cloud services affecting the stability and effectiveness of cybersecurity measures?

The rapid evolution of cloud services presents a challenge to any information security professional. Fortunately, cloud providers often anticipate the needs of the customer, supplying ready-to-use security solutions (such as OCI Maximum Security Zones) and implementing recommended best security practices. However, I must reiterate, the ultimate responsibility for data safety rests with the customer themselves, and security professionals must keep pace with technological advancements.

5. What are the unique challenges of securing hybrid and multi-cloud environments, and how are cybersecurity strategies evolving to handle these?

Hybrid and multi-cloud environments entail a more complex model of shared responsibility between the provider or providers, and the on-premise systems managed by the customer. Different cloud providers offer similar, but not identical, security features, and this must be taken into account when designing the architecture of such systems.

Fortunately, cloud providers have started to recognize the reality of multi-cloud environments and offer solutions that integrate the best of what different providers have to offer. For instance, there are OCI Database Services for MS Azure and OCI Azure Interconnect. The latter service facilitates low network latency between Oracle and Microsoft data centers, an achievement made possible through a partnership between the two corporations.

6. Could you discuss the current state of zero trust architectures in the cloud security landscape?

Zero Trust is traditionally understood as a security model where there is no inherent trust in the network perimeter. Instead, each system element, whether in the cloud or on-premise, is individually secured. For instance, database management systems (DBMS) offer their own security controls, while application servers have distinct protections. For multi-cloud environments, the concept of Zero Trust is not only applicable but often easier to implement. This is because cloud providers offer ready-to-use security tools, like OCI Data Safe, that don’t require separate deployment and can simply be enabled.

7. How can organizations effectively identify and manage the risks associated with third-party cloud services?

Cloud providers typically provide necessary documents (such as SOC 1/2/3) by default or upon special request. Reviewing these documents can help an organization assess the risks. Another crucial factor is the reputation of the cloud provider. A multi-cloud strategy, aimed at avoiding vendor lock-in and mitigating associated risks, is also gaining popularity.

8. Can you discuss the role of artificial intelligence and machine learning in enhancing cloud cybersecurity, particularly in threat detection and response?

This is a promising area, and I believe we will see many new technologies in this field in the near future, especially given the increasing volumes of data in the cloud globally.

9. Could you elaborate on the importance of incident response strategies in a cloud environment?

Once again, we need to refer to the shared responsibility model in the cloud. Incident Response in the cloud is a joint task and shared responsibility of both the cloud provider and the customer. This marks a key distinction from on-premise setups. A good example of this collaboration is the protection against DDoS attacks, wherein the customer works alongside a specialized cloud provider team.

10. How are traditional cybersecurity strategies adapting to the rise of serverless architectures and Function as a Service (FaaS)?

The advent of FaaS is reshaping the cloud computing model and consequently, the security controls that need to be adapted to this model. Fortunately, cloud providers offer security controls that considerably expedite the development process. Developers can focus more on business-related tasks and less on securing the data.

11. How can we balance the need for speed and flexibility in DevOps with the need for security in the cloud?

DevOps technologies encompass hundreds of different yet interconnected tools (think of the “Kubernetes periodic table” with 120 components), each of these technologies has its own security toolkit. Deploying all of these effectively can be a significant challenge. Thankfully, managed DevOps technologies (like managed Kubernetes Clusters) in the cloud allow for work in a secure environment with a minimal need for additional settings. The cloud provider has already taken care of most aspects (or so we hope). This is one of the major advantages of the cloud.

12. What are your thoughts on the future of cloud-native security technologies?

Cloud-native security is the protection of cloud-native applications, which often employ containerization and similar technologies. As previously mentioned, hundreds of different technologies are involved here, each with its own security elements. Unless the primary business of the customer is information security, it’s generally safer to use services managed by a cloud provider. Deploy a multi-node Kubernetes Cluster in a maximum-security zone within minutes? This is only feasible in the cloud.

13. How does the shared responsibility model in cloud computing affect an organization’s cybersecurity strategy?

The shared responsibility model is at the core of all cloud security. It’s crucial to understand this, and most importantly, that the customer ultimately carries the responsibility for the safety of their own data. They are accountable to their employees, shareholders, customers, and regulators. Nonetheless, the cloud provider fulfills their part and offers services and recommendations that the customer can use. Unless the customer’s main business is information security, the cloud provider can typically ensure greater data safety than what’s achievable on-premise. Or at the very least, achieving the same level of data security will be much more cost-effective with a cloud provider.

14. In what ways can cloud security posture management (CSPM) tools help businesses protect themselves from threats?

Cloud Security Posture Management (CSPM) technologies allow the application of ready-to-use security templates such as secure configurations, suspicious user activity detection, threat intelligence, and others. Moreover, they enable the automation of responses to identified incidents. This allows businesses to implement the best security practices from their cloud provider with minimal effort. Automating incident response, such as changing an Object Storage Bucket’s visibility from public to private once detected, significantly reduces the cost of managing security in cloud environments.

15. How effective are traditional network security tools and practices in protecting cloud-based resources?

Network security in the cloud is an essential building block of any cloud infrastructure and is supported by any cloud provider. This includes security lists, network security groups, network firewalls (e.g., OCI Network Firewall based on Palo Alto Networks products), and Web Application Firewalls (WAF), all deployed in cloud environments. However, in line with the Zero Trust principle, reliance should not be placed solely on these. Protection should be provided at all levels, starting from the DBMS where data, the most important asset of a modern enterprise, is stored.

16. Can you shed light on the evolving threat landscape for cloud environments, especially in the context of Zero Trust?

The concept of Zero Trust is unique in that it assumes securing each element individually, regardless of the overall security measures. It operates under the assumption that a breach has already occurred and focuses on ensuring data safety. Encryption at the DBMS tablespace or table level, separation of duties for DBA and end users in the DBMS, Database Activity Monitoring, Database Firewalls, application server security controls, and encryption using customer-managed keys from HSM vaults, all contribute to addressing the evolving threat landscape in cloud environments.

17. How significant is the human factor in cloud security, and what can be done to mitigate the associated risks?

The human factor has always been a crucial and often the weakest link in security. The most common approach to reducing human error is through automation and the establishment of relevant business processes. Concepts like the Principle of Least Privilege and Segregation of Duties should be applied in cloud environments as well. Most cloud providers offer services for building these business processes, or it’s possible to implement an on-premise Identity Management solution (like Oracle Identity Governance) to integrate cloud systems into a common IDM repository.

18. What specific cybersecurity skills do you believe are essential for cybersecurity professionals working in the cloud space?

Understanding the general principles of security, such as confidentiality, integrity, and availability, is essential. Preparing for popular exams like the Certified Information Systems Security Professional (CISSP) or Cloud Systems Security Professional (CCSP) can effectively help with this. Additionally, it’s vital to comprehend the architecture and services provided by different cloud providers, for which the respective cloud provider’s training programs can be beneficial.

19. What are the latest trends in the field of identity and access management (IAM) as they relate to cloud security?

IAM is a broad topic that warrants its own detailed discussion. I have been involved in IAM discussions and implementations for over 17 years. To be concise, I observe significant development in AI/ML technologies in terms of access certification, which checks the redundancy of access rights either periodically or based on events. In such cases, the system doesn’t merely rely on the opinion of the IT, IT Security, or corresponding Line of Business reviewer but suggests the access users should have. This approach is particularly important in large organizations and marks a significant step forward.

20. Could you discuss some of the latest developments in security orchestration, automation, and response (SOAR) for cloud systems?

Again, SOAR for the cloud represents a shared responsibility between the cloud provider and the customer. Threat Intelligence, CSPM systems, and DBMS user activity monitoring are all components of SOAR. While cloud providers offer customers the security controls to address specific security functionalities, the task of using these tools falls to the customer. As for recent trends, aside from the previously discussed developments in AI/ML, I would highlight simplification. This is achieved through standardization (like CIS Security Landing Zones, which major cloud providers have recently implemented), and the cloud providers’ attempts to simplify security by providing ready-to-use guidelines. This reduces the customer’s area of responsibility for security in the cloud, thereby making complex issues simpler.