Worldwide spending on public cloud services is set to grow 20.7% to total $591.8 billion in 2023, according to Gartner, and threat actors are getting better at exploiting unpatched vulnerabilities.
Recent research by Palo Alto Networks’ Unit 42 found that more than 60% of organizations take over four days to resolve security issues, over 63% of codebases in production have unpatched vulnerabilities, and threat actors exploit a misconfiguration or vulnerability within hours.
The company’s Prisma Cloud is a top security player in spotting vulnerabilities in cloud-native application development and deployment. TechRepublic spoke with Ankur Shah, SVP and general manager of Prisma Cloud, about what cloud security means and how IT pros and decision makers should think beyond the traditional cybersecurity playbook when it comes to cloud security.
TechRepublic: How has hybrid work and migration to cloud business informed what Palo Alto’s Prisma does?
Ankur Shah: Before the cloud, security was like a house with one front door, a camera and a security guard: one level of security and you’re good to go. Now security is very dynamic. Every house looks and feels different. There are windows and doors and you don’t always know which are open, and the crown jewels are inside. So there’s a lot of “lift and shift” [the process of migrating applications and systems to the cloud] with customers rewriting applications — building “houses” in cloud infrastructure, and the security person at IT does not have as much control over how these houses get built.
TechRepublic: Developers do, nowadays.
Ankur Shah: … Because every company is becoming a digital company. If I’m Home Depot, I am a technology company that happens to be in home hardware; if I’m Pfizer, I’m a technology company that happens to be doing pharmaceuticals: today people are using AWS or another cloud service provider and developing their own software. So, yes, developers can have outsized influence because they have to build fast. Today there are over 33 million developers and fewer than three million security people who actually know the cloud. I don’t have data for this one, but I would guess that there are probably fewer than 20,000 people in the world who really understand cloud and security.
TechRepublic: But isn’t cloud security pretty much what most security is about now?
Ankur Shah: You have to understand that the bulk of the security professionals come out of an understanding of network and endpoint security. A lot of security people are using the same playbook that we used back in the day and applying it in the cloud. It’s a very different paradigm now, though. The way workloads get deployed in the public cloud — the windows and doors of the house — is very dynamic. You don’t rack and stack a server anymore. You click a button … or you don’t even have to click a button. Through automation, you can create literally hundreds of thousands of workloads in the cloud today. So these are the best of times, these are the worst of times if you’re in security.
TechRepublic: Should cloud providers be doing more in terms of securing what enterprises enact in cloud environments?
Ankur Shah: If you look at AWS, Azure, Google Cloud, IBM, Oracle and the others … you can have one cloud provider alone with over 200 cloud services that developers are using to build new applications. The cloud providers say, “Look, I will secure the infrastructure layer, but what you put in your applications, I don’t have responsibility, that’s up to you.” When I was a developer, we would ship that code once a year. Now customers are shipping code daily. So the CI/CD [continuous integration/continuous deployment] pipeline has reduced significantly now.
TechRepublic: Palo Alto Prisma Cloud is about securing that entire CI/CD process, correct?
Ankur Shah: The entire code-to-cloud journey … often involves 7, 8, 9 tools. The left doesn’t talk to the right, right doesn’t talk to the middle, middle doesn’t talk to the right. So, yes, Prisma Cloud’s mission has been to deliver code-to-cloud security at each stage of the pipeline. There will be security problems once things are in production. Continuously monitoring the final product to ensure that security holes are not left is also a big part of what we do.
TechRepublic: Even with code-to-cloud security there will still be exploitable critical vulnerabilities, don’t you need multiple tools to deal with this in development and production?
Ankur Shah: Well, there are two ways to not solve that problem. One is if you have multiple tools that aren’t integrated, which is what much of the security industry is today. There are 3,000 different vendors, 200 in cloud security alone. And everybody’s trying to sell point solutions. It’s not going to save the day for you. More tools make you less secure, not more.
TechRepublic: Which I assume is why enterprises are moving away from collecting point solutions toward platforms like extended detection and response, or XDR, in Security Operations Center contexts.
Ankur Shah: There is a big consolidation movement because customers can’t keep on repeating the sins of the past and have multiple tools, point products, but in security, good enough is not good enough. You have to be best in class.
TechRepublic: Is DevSecOps fundamentally different than what is happening in the world of SOCs and does Prisma Cloud respond to both contexts?
Ankur Shah: Tools like XDR for SOC are out there for doing threat detection prevention. If you have software already in production and an intruder gets in, Prisma Cloud will detect it and we will send those signals to the SOC. From the code to the cloud process, there are risk signals, and Prisma’s job is to prevent those problems to begin with.
TechRepublic: What are some uses of large language models in cloud security?
Ankur Shah: My vision is to leverage AI for two purposes: to improve the user experience and to improve the security outcomes. It’s really that simple. Customers today are asking simple questions, but to answer those questions we often have pages and pages of product information. With AI, why can’t you ask something like, “Hey, what’s my top security priority? What’s the next incident that I can expect?” In the future of security, users are going to be engaging with AI to help solve problems for these kinds of queries. That speaks to the user experience aspect of it. The security outcome is a lot of the stuff that we did already in AI. You can expect us to do more and more in the future with automation, more AI and machine learning because it’s really connecting the dots to ensure that if there is a breach — if there is a security incident — we’re able to detect it sooner than later.