Enterprise cloud use cases are changing and expanding, and companies are now realizing new security challenges that need to be resolved.
Cloud security solutions can include everything from new security tools to more advanced training to investing in new team strategies.
Datamation interviewed Parag Bajaria, VP, of Product Management, Cloud and Container Security at Qualys, who shared his perspective on the development and growth of the cloud security market.
About Parag Bajaria
Parag Bajaria is VP, Product Management, Cloud and Container Security at Qualys, focused on building and evangelizing cloud and container products and solutions. With more than a decade of experience in cloud security, he has built products in various security domains – data security, cloud posture management, identity security and workload security. Prior to Qualys, Parag was Head of Product Management at CloudKnox, a CIEM security company. Parag has held product leadership roles at HyTrust, Yahoo, and Juniper Networks. Parag has an MBA from Cornell University and an MS in Electrical Engineering from the University of Maine.
Interview: Cloud Security Market
How did you first start working in the cloud security market?
My journey in the cloud security market began about eight years ago when I joined a startup company that focused on data security solutions. At the time, the company was building a product that offered data encryption and key management services to customers. This was my first foray into cloud security, and I found it a fascinating field that presented many opportunities for innovation and growth.
After a few years of working in data security, I moved on to a new challenge: cloud infrastructure entitlement management. In this role, I focused on helping customers achieve the least privilege in their cloud environments, which involved monitoring privileges of identities, human and machine, and removing the privileges that are not being used. At Qualys, I continue to build end-to-end security solutions that help organizations protect their cloud environments.
My experience in data security and infrastructure management has proven invaluable in this role, as it allows me to take a holistic approach to cloud security and develop comprehensive solutions that address a wide range of challenges.
What sets Qualys cloud security approach or solutions apart from the competition?
Qualys’s single-platform approach distinguishes it from other cloud security providers in several ways. Unlike many competitors, which rely on a patchwork of disparate tools and systems, Qualys provides a unified platform that covers all aspects of security posture evaluation. This approach simplifies security management and ensures consistency and accuracy across multiple data points.
For example, suppose a workload running an Apache web server is exposed to the internet. In this case, Qualys could provide a comprehensive security posture evaluation by analyzing the virtual machine’s critical vulnerabilities, OS and Apache server configurations, criticality, and potential compromise. Qualys’s ability to aggregate these multiple data points enables it to deliver a more accurate and comprehensive representation of the true risk associated with the workload.
Furthermore, Qualys’s single-platform approach enables customers to scale their security posture evaluations seamlessly, regardless of the number of workloads or cloud environments they need to protect. Many other companies in the cloud security space require customers to use multiple tools and systems, leading to complexity, inconsistency, and potential security blind spots. Overall, Qualys’s approach offers a more streamlined, comprehensive, and scalable solution to cloud security.
For more: Top Data Center Security Software
The Cloud Security Market
What is one key new cloud security technology that particularly interests you?
One key new cloud security technology that particularly interests me is shift-left security. Traditional cloud security approaches tend to be reactive, meaning vulnerabilities and misconfigurations are often only detected after workloads are deployed. This can lead to significant delays and overheads identifying and remedying issues and an increased risk of exploitation. Shift-left security, on the other hand, involves detecting and addressing security issues before workloads are deployed – e.g., scanning CloudFormation templates for misconfigurations as soon as they are checked into the repository.
I am particularly interested in shift-left security because it distributes security responsibility across security teams, developers and DevOps, which can lead to more efficient and effective security outcomes. Ultimately, catching security issues earlier in the development process can reduce the risk of breaches and associated costs.
What is the biggest cloud security mistake you see enterprises making?
Not properly managing the security of their machine identities. While cloud workloads and applications often use cloud services and require permissions – just like human users – permissions assigned to machine identities or cross-account roles/service accounts are often overprivileged and not reviewed regularly. This can leave them vulnerable to exploitation if they are compromised, leading to the potential for significant damage to an organization.
To address this mistake, enterprises need to follow the IAM security best practices recommended by their cloud service provider and use CSPM security solutions to verify that those practices are being followed. By taking these steps, enterprises can significantly reduce the risk of cloud security breaches and ensure that their machine identities are properly secured. While other common mistakes in cloud security exist, this issue is particularly significant given the widespread use of cloud services and the potential impact of compromised machine identities.
What are some current trends in the cloud security market that are promising?
The cloud security market is constantly evolving, as organizations seek to protect their valuable data and applications from an ever-increasing range of threats. One of the most significant factors driving change in cloud security is the shift from a “security-first” approach to a risk-driven approach. This approach recognizes that the sheer volume of security issues can make it challenging to eliminate all risks, so instead, organizations are prioritizing the most critical vulnerabilities and misconfigurations based on their potential impact on the business.
This trend is giving rise to a range of innovative solutions that use advanced analytics and machine learning algorithms to help organizations measure risk more accurately, prioritize security issues more effectively, and provide reliable remediation guidance. For example, risk assessment platforms can scan an organization’s IT environment, combine that data with threat intelligence feeds, and produce a risk score for each asset. This score enables organizations to prioritize their security efforts based on the most significant risks, rather than trying to fix every single vulnerability.
The shift from eliminating risk to managing risk more effectively is a pragmatic approach that recognizes the realities of modern IT environments. By adopting this mindset and using advanced risk management solutions, CISOs can better protect their organizations from cyber threats while using limited resources more efficiently.
For more cloud security trends: Top Cloud Security Trends
How has cloud security changed during your time in the market?
The adoption of cloud services has accelerated, leading to an increase in the number of motivated attackers who are looking to exploit vulnerabilities in cloud resources. As a result, security has become more complicated and multi-layered.
In the past, protecting the network perimeter was often seen as sufficient. However, in the cloud, it’s essential to have multiple layers of protection. For instance, cloud workload protection, cloud resource configuration protection, cloud identity permission protection, and infrastructure-as-code (IaC) security are all essential components of a robust cloud security strategy.
Another significant change is the rise of multi-cloud environments. It has become common for organizations to use multiple cloud service providers (CSPs), each with its specific security challenges. This creates complexity for security teams, as they must manage and maintain security across multiple CSPs. Fortunately, cloud security solutions have also evolved, providing more comprehensive protection to help organizations stay ahead of the evolving threat landscape.
Where do you predict the cloud security market will be 5 or 10 years from now?
As the use of cloud technology expands, there will likely be an increased focus on securing cloud-based infrastructure. This will be driven by the need for businesses to protect their applications and data from increasingly sophisticated threats. In response, cloud providers will continue to invest in offering ways, such as serverless computing, to shrink the exploitable surface and reduce the attack surface.
Another trend that is likely to continue is the adoption of Zero Trust security principles. With Zero Trust, access to resources is granted based on identity and context, rather than relying solely on network location. This approach can help businesses improve security by limiting the potential attack surface and reducing the impact of compromised credentials.
We will also see an increase in the adoption of shift left security, which involves integrating security into the software development lifecycle from the beginning. This approach can help businesses identify and address security issues earlier in the process, which can save time and reduce costs. To make security more accessible, we may see the use of chatbot-like interfaces to investigate and respond to security events. This could help reduce the workload on security teams and enable faster response times.
Finally, given the sheer volume of security alerts that organizations receive, there will be an increased adoption of AI-based solutions to sort through the noise and identify the most relevant alerts. This will enable organizations to focus on the most critical issues and reduce the risk of missing important security events.
For more on cybersecurity: How to Segment Your Network: 7 Steps
Personnel in Cloud Security
What is one new cloud security development your team wants professionals to know?
Shift-Left security. I have talked about it in the earlier questions. Shifting security assessment before deployment allows for faster identification and remediation of security issues, which ultimately leads to a more proactive and effective security posture for cloud environments.
If you could give one piece of advice to a cloud security professional in the beginning of their career, what would it be?
One piece of advice that I would give to a cloud security professional in the beginning of their career is to focus on mastering a specific domain or area of expertise. The cloud security landscape is vast and constantly evolving, so it can be difficult to be a generalist in this field. By focusing on a specific area, such as cloud misconfiguration, you can gain deep knowledge and expertise in that area, which can be invaluable in your career.
To become a true expert in a specific domain, it’s important to be hands-on and gain practical experience. This can include setting up test environments, experimenting with different configurations, and running simulations to test security controls. Additionally, reading security blogs, attending security conferences, and networking with other professionals in the same domain can help you stay up to date with the latest developments and best practices.
Another important aspect of mastering a domain is to share your knowledge and expertise with others. This can include writing blog posts, creating open-source tools, and contributing to online forums and discussion groups. By sharing your insights and experience, you can not only help others in the field but also establish yourself as a thought leader and expert in your domain.
With the shortage of tech talent, how is your team finding and retaining professionals to work in cloud security?
With the shortage of tech talent in the cybersecurity industry, finding and retaining professionals in cloud security can be challenging. My team has found that investing in candidates with deep experience and the ability to mentor junior staff has been an effective strategy. By building a strong leadership team with experienced professionals, we can quickly scale our hiring efforts and maintain high standards for talent.
To retain talent, we have found that it’s important to provide meaningful and challenging assignments that align with the company’s vision and values. This not only helps keep employees engaged and motivated, but also provides a sense of purpose and fulfillment in their work. Additionally, providing opportunities for career growth and development, such as training and certifications, can help employees feel valued and invested in their long-term success with the company.
For the greatest business impact, what should cloud security professionals be focusing on most in their roles?
For cloud security professionals to have the greatest business impact, they should focus on prioritizing the issues they face. Often, security professionals can get overwhelmed by the sheer volume of issues, making it challenging to address critical ones that can have a significant impact on the business.
To avoid this, cloud security professionals need to develop methods to prioritize issues effectively. This involves removing any non-actionable issues from the queue immediately and creating prioritization criteria for the actionable ones. By prioritizing the issues, security professionals can focus their efforts and resources on the most critical ones, ensuring that they are adequately addressed, and the business impact is minimized.
In addition to prioritization, cloud security professionals should also be proactive in identifying and addressing potential security risks. This involves continuously monitoring and analyzing the cloud environment for any vulnerabilities, threats, or anomalies that may impact the security of the organization’s data and systems. It’s essential to have a robust security strategy in place that includes regular assessments, risk analysis, and the implementation of best practices and industry standards.
For more on cloud: The Cloud Storage Market
What is your favorite part of working in the cloud security market?
It’s the constant change that keeps the industry on its toes. As more organizations migrate to the cloud, the focus of hackers has also shifted, creating new and more sophisticated threats that require innovative solutions to defend against. This makes the work both challenging and exciting, and I enjoy being part of an industry that is always pushing boundaries.
The tactics to defend in the cloud are quite different from those used on-prem. For example, the shared responsibility model in cloud security requires more emphasis on access control and identity management, as well as a greater need for automation and real-time monitoring to detect and respond to threats. Attackers also use different tactics to target cloud workloads, such as exploiting misconfigured settings, using stolen credentials, or launching distributed denial of service (DDoS) attacks. As a cloud security professional, it is crucial to stay up to date with the latest trends and techniques to effectively defend against these threats.
I enjoy the challenge of staying on top of these trends and using my expertise to develop innovative solutions that address the unique security needs of the cloud. The constant change in the market keeps my work interesting and engaging.
What are your favorite hobbies or ways to spend time outside of work?
Outside of work, I have a few hobbies and interests that keep me busy and fulfilled. One of my favorite things to do is cook and experiment with new recipes. I find cooking to be a creative outlet and a great way to unwind after a long day. I draw inspiration from a variety of sources, including cooking websites, YouTube videos, and family recipes passed down from family. I enjoy trying new ingredients and techniques and seeing how I can improvise and make a dish of my own.
Another passion of mine is staying active and spending time outdoors. Whether it’s going for a hike in the mountains, taking a Zumba class, or playing a game of ping pong, I find that physical activity helps me stay energized and focused.
I also love reading and learning about new topics. Whether it’s a new book on self-improvement, a podcast about history, or a documentary on a topic I’m interested in. I find that learning something new helps me stay curious and engaged with the world around me.
For more information: Top 16 Cloud Service Providers & Companies