Avoiding vendor lock-in when using managed cloud security services

In this Help Net Security interview, Marina Segal, CEO at Tamnoon, discusses the most significant obstacles when implementing managed cloud security in hybrid and multi-cloud environments. She shares insights on long onboarding times, legacy security gaps, vendor lock-in, and overlooked threats that can put organizations at risk.

What major obstacles do CISOs encounter when deploying managed cloud security solutions, particularly in hybrid and multi-cloud environments?

CISOs are no strangers to navigating obstacles—it’s practically part of the job. The challenge is managing these obstacles in complex hybrid and multi-cloud environments where even the smallest decisions can have unpredictable consequences.

The long onboarding process remains a big pain point for most MDRs and MSSPs. Every organization has unique policies, workflows, system architectures, and integrations to learn. And, that’s before you start talking about the knowledge gaps in the proactive and preventative side of cloud security, which further complicates the onboarding process.

Many teams hyper-focus on incident response rather than trying to take a proactive or preventative approach. And, when it comes to managed solutions, often legacy managed solutions are comfortable in one area but try to extend to all unsuccessfully. For example, a legacy MDR may be great on-prem, but their technology and teams aren’t equipped when moving to the cloud. We saw the same issue with tooling, and that’s why the categories CSPM and now CNAPP were created to fill a void in existing tools.

Each of these problems can be challenging to overcome, but when combined with a lack of regulatory and compliance knowledge, they are a recipe for disaster.

How can organizations ensure they have visibility across their cloud environments when using a managed cloud security provider?

The long onboarding process is the logical starting point for organizations seeking full visibility across their cloud environments. The faster you can get your teams and vendors working together collaboratively, the better. After all, collaboration is where the real magic happens, as it aligns your team with shared goals.

Early on, have your managed cloud security provider ensure your CNAPP is fully deployed across the cloud and is consistently monitoring and scanning. This will show you where your CNAPP isn’t optimizing and serves as a sensible starting point. If no budget is available to expand, some advanced managed cloud security provider may suggest an open-source tool or a cloud-native solution until you can secure an additional budget to expand with a paid solution.

Don’t forget to account for your developer accounts, too. Ideally, all cloud accounts are under a central organization and all monitored. Often, that’s not the case. These accounts can be just as risky. If permissions are set up improperly, they can introduce unnecessary risk to your production environment.

It’s also key to surface the most critical alerts to avoid overwhelming your teams. A reputable managed cloud security provider can help you fine-tune your CNAPP/CSPM to show the most critical alerts. Visibility is good, but too much visibility drowns out the crucial alerts you need to focus on.

Finally, don’t lose focus on the compliance frameworks you’re using. Take the time to work with your managed cloud security provider to map them properly. Your cloud security program needs this structure in place, especially as your organization scales.

Many organizations are concerned about vendor lock-in when using managed cloud security services. What are some ways to mitigate these risks?

No one loves vendor lock-in, and many deals have died at the negotiation table because of it. Cloud security is no different.

An ideal managed cloud security provider should take an agnostic approach. Their solution should be compatible with whatever CNAPP or CSPM solution you use. This gives you maximum flexibility to find the right provider without locking yourself into a specific solution. Advanced services may even enable you to take open-sourced tooling and get to a good place before expanding to a full cloud security solution.

You could also partner with a managed cloud security service that leverages open standards and protocols. This approach will allow you to integrate new or additional vendors while reducing your dependency on proprietary technology.

Training and building in-house knowledge also helps. A confident service won’t keep their knowledge to themselves and helps enable and provide training to your team along the way. This will allow you to better direct strategy, review performance, and pivot if needed.

Finally, pay attention to the contract’s terms. Clarify anything you are unsure about, specifically when it comes to exiting or migrating. You’ll also need to ensure you can retain data and configurations in a non-proprietary format should you need to change managed cloud security services.

What are some of the most overlooked cloud security threats that CISOs should pay closer attention to?

The biggest threat today: organizations still aren’t responding to incidents fast enough. Time to remediation remains one of the most overlooked areas in cloud security. We have all these alerts, but no one is solving them in a timely manner. Organizations must make themselves unattractive to attackers, which requires addressing the most significant vulnerabilities and misconfigurations in minutes, not months. You can’t leave the front door open and expect to not have someone walk in. Make it hard for an attacker to break in, and they’ll (often) just move on.

Another important area of concern is real-time incidents. Many organizations have done this on-prem for a long time, some even creating a SOC team, but it’s not something many have operationalized in the cloud. This ownership of handling real-time cloud threats must change as a company’s cloud footprint expands.

And there’s IAM—a more complex but equally concerning component of cloud security. In recent news, a few breaches started with low-level credentials being obtained before the attackers self-escalated themselves to gain access to sensitive information. This is often due to overly permissive access given to humans and machines. It’s also one of the least understood components of the cloud. Still, if your managed cloud security service truly understands the cloud, it won’t ignore IAM, the foundation of cloud security.

How do you see the threat landscape for cloud security evolving in the next 2-3 years? What emerging attack vectors should CISOs be preparing for now?

There is no escaping the obvious threats of AI and machine learning. The rapid pace of innovation in AI technology is already creating uncertainty in the industry. While AI will play an important role in defending organizations, it will also be used to attack them.

We think cloud security will get closer to the SOC in the coming years to detect and remediate real-time alerts in the cloud. Until now, cloud security/operations and SOC have been siloed. Cloud worked on cloud protection, while SOC worked on IR and focused more on non-cloud security problems. This was largely due to a skill gap, tech stack, and team structure. We expect to see those functions come back together. If an organization isn’t at the place to have a SOC yet, there’s a strong chance they’ll outsource this critical component of cloud security to a third-party service. We’re seeing more and more organizations realize they can’t host critical applications in the cloud without having someone actively monitor for threats.

Technical debt is another ticking time bomb for most organizations. Outdated architecture, poorly documented code, unpatched vulnerabilities, and regulatory/compliance knowledge gaps expose an organization to unnecessary risk. This problem is well-known in cybersecurity and is only amplified in the cloud. Security functions are often spread across multiple teams, departments, and business units.

With the rise of multi-cloud environments, companies must deploy the right CSPM and CNAPP solutions to manage security, identity, and data governance at scale. More importantly than tooling, we must also evaluate how to remediate findings, not just surface them. In many scenarios, end users evaluate based on visibility, not remediation. It’s a major flaw that leaves you stranded for a solution when you get your first 200,000 alerts. It’s also where a managed cloud security service can assist. Many companies can avoid this by exploring how to combine proactive remediation with visibility across their entire organization.