SANS ISC: Cloud Security Features Don't Replace the Need for Personnel Security Capabilities

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

We received excellent comments and a question regarding cloud security features from an ISC reader today that we thought was important to share broadly. We'd certainly like to open this up to reader comments, insights, and feedback. 

"With Azure adding to their security offerings, is the trend for more companies to start offloading their security needs to Microsoft?  With Microsoft security & compliance, companies would rely more on Microsoft recommendations and alerting. Why even go through security learning when Microsoft would be handling the entire stack?"

My response to this follows, please note that I work at Microsoft, and that our replies are not exclusive to the Azure cloud:

"The continued growth of security features in Azure are intended to be of increased benefit to customers and their protection, but not supplant or replace their ongoing need to understand and apply security practices and learning. Organizations utilizing Azure are able to leverage these tools to greater affect but can't do so in the absence of understanding the same security principles that apply to on-premises computing. Yes, the technology and landscape are evolving but the core tenets of asset management, vulnerability management, secure configuration, security assessment, monitoring, analysis, and incident response all remain valid and true. Just because the likes of Microsoft Defender Advanced Threat Protection or Azure Sentinel exist for Azure resources and Microsoft customers doesn't mean you don't have to know how to utilize them effectively. Different tech, different landscape, same principles."

Another handler replied as well:

"My organisation does a lot of work within the various Microsoft stacks and unfortunately the assumption is often that Microsoft is taking care of it all, which unfortunately is not the case.  The tools that people are being provided with are improving. What is available at your particular license level is different to what it was a few years ago, even a few months ago. However the same security principles people were applying previously still apply. If you had an on-prem SIEM that nobody looked at, having Sentinel and nobody looking at it will have the same end result. The tools are available, but they can still be implemented insecurely."

Key Takeaways

1. Yes, cloud security features are constantly being added and improved.
2. No, they do not replace your need for understanding and continued learning of security best practices, configuration, implementation, and analysis.
3. Yes, these insights apply to all cloud providers with security features offered as part of their platforms.
4. No, you should not assume that your cloud provider is "taking care of it for you."

Again, cloud security features <>!=≠ personnel security capabilities, those are still up to you and your teams.

Cheers…until next time.

Russ McRee | @holisticinfosec