The trend of migrating applications to the cloud has been rapidly increasing over the past 10 years and maintaining security throughout that transformation journey is key to enabling those efforts safely.
By empowering security and DevOps teams to effectively collaborate, Palo Alto Networks Prisma Cloud accelerates secure cloud-native application development and deployment. The company’s industry-leading cloud-native application protection platform (CNAPP) is helping organizations meet their cloud journey goals with seven billion cloud resources secured, so far.
An effective protection platform that addresses security needs at each stage of application development and deployment ensures better visibility and risk control to help businesses on their cloud journeys.
To take a closer look at how to maintain a secure cloud environment, Ankur Shah, Senior VP & GM for Prisma Cloud at Palo Alto Networks, discussed the challenges, environmental security threats and best practices for a secure cloud transformation.
Please introduce yourself to our audience and Palo Alto Networks and, in your role, what are your key success metrics?
My name is Ankur Shah, Senior Vice President for Prisma Cloud. As the audience may know, over the last four years, we have transformed Palo Alto Networks from a firewall company to an organization with a comprehensive security platform. Our flagship product continues to be the next-gen firewall that we're known for.
We’ve introduced SaaS for zero trust network access (ZTNA). For endpoint security and security operation center (SOC) transformation, we have XDR and, the third leg of the stool is Prisma Cloud, which secures applications from code to cloud. That's the part of the business I run.
My success metrics are based on helping customers through their code-to-cloud journey, making sure that they’re moving fast, going digital and that we're helping them do so in a safe and secure manner. Our core mission is to help our customers in their journey to the cloud.
As the cloud becomes increasingly ubiquitous and distributed, how can organizations effectively protect this environment?
The shift to cloud has been growing at a rapid pace. By the end of 2023, Gartner predicts public cloud end-user spending will reach nearly $600 billion and, even at that size and scale, cloud providers continue to grow at a significant rate. That's because customers are rewriting their applications to leverage cloud technology and increase development speed.
It’s like I say - every company is going to become a technology company thanks to the cloud, containers and the evolution of the entire supply chain. If you look at the last year, the majority of organizations have moved over 30% of workloads to the cloud. And you're going to see that trend continue.
Organizations will either do a lift-and-shift, which is the idea that ‘I've already got an application, I'm just going to leverage public clouds’, or they’ll build cloud-native applications, which is when applications are built directly within a cloud environment. The cloud-native application approach is trending now; customers are rewriting the apps.
As organizations take the journey to the cloud, I'd like them to start thinking about securing what we call the entire ‘application lifecycle’. The traditional approach to security is to say, ‘I've got stuff going on in the public cloud, is it secure?’ after it’s already shipped to the public. And, as it turns out, in the public cloud, developers leave a whole bunch of openings for vulnerabilities. They ask, ‘is it secure?’ too late.
With the speed that developers are moving and the new services they’re leveraging, it's just not possible for smaller security teams to cover the developers’ tracks after applications are created and shipped. The right way to secure applications, data and critical infrastructure is for security to move along the tracks with developers—start the security journey at the onset of the development lifecycle itself. Think about this holistically as one big continuum versus a whole bunch of silos, because those silos are time-consuming and ineffective. Silos mean that security teams must piece together all the signals they're getting across the entirety of the application lifecycle to try to figure out which to prioritize.
For example, I've got a Ring Doorbell and if it pings me every 15 minutes when somebody has walked outside my house or a car drove by, I become numb to notifications. It's too much noise, so when an intruder really gets in, I'm likely to miss it. The need is not a whole bunch of small signals, but rather ingrained security at each phase to allow for the combination of the entity of signals, from code to cloud. This leaves threat prioritization to the protective platform and enables users to focus on response.
What are the main threats to this cloud environment?
There's the traditional stuff that you worry about like data exfiltration in the cloud and a whole bunch of application security risks because of a very common mistake—deploying an application that has a known vulnerability in the public cloud, which is then left open to the public internet that somebody can exploit.
Vulnerability exposure to public internet, overly permissive identity management and secrets in the cloud, when you combine all this, it’s what the industry calls the supply chain. Software supply chain security risk is when bad actors get hold of your code through methods like social engineering. From there, they still steal the secret or API access keys, go into cloud environments, siphon off data and do all kinds of crypto mining.
Application security risks and vulnerability exposure to the public internet, those are the classic risks you have to worry about. What leads to those problems and how are they resolved? That's what customers want to focus on.
What are some challenges as it relates to the skills gap and the human component of the transformation journey?
This is something we at Prisma Cloud live through on an everyday basis. The human component of the challenge is that there is a huge disparity between the number of developers and cyber security experts. When you really count the number of people who understand public cloud and security, there are just not enough. They have no chance against developers in terms of keeping up the pace at which they're developing applications.
So, that represents a problem. One of our goals for Prisma Cloud is to bridge the divide between security and DevOps teams. We’ve seen great improvements to security from customers who have successfully aligned security and DevOps teams over three steps, the first being the bridge gap closure.
The second step is what we call risk prevention. So, first is just visibility and control and making sure the security practitioner gets that visibility. We then give them perspective on the top risks to report back to the development team.
Developers like to embed secrets in their CI/CD pipeline to allow them to work quickly, avoiding the need to log into another console. By bringing security teams where developers are, security knows exactly the problems that developers could be creating. Preventive security measures can then be added along the way without slowing down development speed.
And step number three is security defense in depth, which is the recognition that what could go wrong often does go wrong. You need active protection when the bad actors are trying to get into your environment.
We think we, at Prisma Cloud, are the bridge builders in the cloud security divide. That's how we're going to be able to solve this lopsided equation, by bringing security to the developers to make sure security can keep up with development pace, all while acting responsibly.
Can you provide any insight into the latest technologies and strategies that can be deployed to create a holistic cybersecurity strategy?
The way to do this holistically is to not do what has always been done in the industry. I regularly talk to large customers who are using over 100 security tools in total, just in cloud security. A lot of times I find customers with over a dozen tools. Having more tools does not make you more secure, it makes you less secure. You have to look at security holistically from code to cloud.
My advice to security teams is to embrace the new world order. You're not going to be able to block developers from building new stuff. There's a business demand. Customers want to move fast. And you want to become the great enablers for a DevOps team by learning the cloud, by bringing in the right tool set, by earning trust and credibility and by helping businesses prioritize.
From a business and boardroom priority perspective, where does cloud security rank? How will security be approached moving forward?
We recently released our What’s Next in Cyber Global Survey, which found that cloud security was ranked second in priority to network security by the respondents, who were mainly made up of CIOs, CISOs and other senior executives. So, there's a lot of awareness in the boardroom from CEOs, CISOs and CIOs about investing in cyber. About 50% of the respondents in our survey plan to increase investments in software firewalls on both public and private clouds.
My recommendation to CIOs and CISOs is to continue to double down. You have to understand where the puck is going, and the puck is clearly going in the public clouds’ direction. And it's hard work. I've got customers who have a completely locked down environment, but they have very mature practices, and some who have completely wild west type environments. We want to get to a place where everything is secure from code to cloud, and customers have a single pane of glass where they can consistently see that security incidents and risk are going down as the cloud footprint is growing.