Short interview with cloud security expert Archis Gore from Polyverse
Securing the infrastructure, platforms, processes and data is one of the most important topics in cloud computing. the cloud report interviewed cloud security experts about the challenging year 2020, how this year of digitization affected cloud security, and their expectations and solutions for 2021.
What were the biggest security challenges for cloud customers in 2020?
My tongue-in-cheek answer is: Public S3 buckets.
But all joking aside, the biggest challenge in cloud is managing policies, permissions, authentication and authorization. Security breaks down into two distinct buckets:
- a) The Policy: i.e. “What do you want?”
- b) The Implementation: i.e. “How do you get what you want?”
The Policy is not trivial but it’s fairly easy. Anyone can intuitively know policy such as:
“Nobody should be able to access my S3 bucket publicly.”
“Only the team owning the VMs should be able to login to them.”
“My application should never show data of one user to another user.”
Where it all runs into a huge challenge is implementation. How can we ensure that data from one user isn’t visible to another? How do we validate that it is correct? How do we test it? These are very difficult things to validate and ensure.
And that is the single most important challenge faced by cloud customers in 2020. To implement and be assured of the implementation of what they want. Many times, these systems are Gordian knots – convoluted, complex, interdependent, etc.
What were the critical vulnerabilities that you became aware, and maybe were confronted in 2020? How did or would you address those vulnerabilities, i.e. which solution would you recommend, and why?
My top 3 for the year:
- Boothole: At first glance, it appeared to be a fringe problem, but for those it affected it enabled breaking out of secure boot chain without any defensibility.
- Adrozek malware: This was malware that could infect multiple browsers on Windows. Anything that installs seamlessly through a browser is dangerous because it the fail-safe default (i.e. users can get infected without taking any action.)
- The Code-injection vulnerabilities in WordPress which affect a massive number of sites. WordPress is a common and frequent target of code-injection vulnerabilities and it affects real-world websites used by regular people (not nation-states or super-secret hacking groups). Specifically these two:
Generally, the solutions I recommend for all three are solutions that work preemptively and create fail-safe designs. What this means is that the solution has to work BEFORE the problem is even known to exist. Something that systemically and endemically prevents the vulnerability from ever being exploited.
For all code injection like Boothole or WordPress, I always propose using Zero-trust technologies which assume that ALL components (including security tools themselves) are untrustworthy and thus mitigate attacks as a design of the system itself. In humans, think of vaccination as an example of zero-trust protection – rather than “trust” anyone, doctors, nurses, friends, family as having been safe, once you take a vaccine you have to trust nobody and you are preemptively safe without any need for detecting or preventing the virus. The same mindset needs to be applied to computer systems.
There are different approaches to secure cloud environments. Which is the more effective one in your opinion?
Security approaches break down across many dimensions, but I want to break down across two dimensions which are somewhat orthogonal to each other.
One Dimension is “how” security is done and there are 3 main approaches people take here:
- The first approach is reactive and the most common. This is where you wait for something to go get hacked or some vulnerability to be known, and then reacting rapidly to it by patching or adding firewall rules or malware signatures whenever possible to find and remove exploits. This approach is the least effective because the damage may already have been done by the time you are able to react.
- The second approach is perfection. This is where you ensure all code/systems/designs are 100% perfect and provably correct. If this can be done, then all systems are secure by design. This is the approach taken by static and dynamic analysis, safe programming languages like Rust or Checked-C, Leslie Lamport’s TLA+ and so on. This is my personal ideal that I hope we can reach one day, despite knowing that theoretically we can never get there.
- The third approach is fail-safe. This means that when a system fails, it fails in a manner that is safe to the mission. Most real-world critical systems are built to “fail-open”. Let’s say you are in a car and the lock fails, then it will always be open if it has failed. For cybersecurity we should design systems to fail-closed. When authentication fails, we have to make sure that no access is granted. When our correctness fails, the system prevents malicious behavior. This is my personal favorite because it encapsulates the idea that no system is perfect and no system is built, operated and utilized by perfect beings.
The second dimension is who should worry about security? This is similar to the serverless mindset – everything is going to have security. But whenever possible I advocate handing it off to the platform. Rather than buying a security tool independent of the platform and then performing integration yourself, it is much better to make the platform itself be secure and own it.
So whenever possible the best approach to secure cloud environments is to buy “secure cloud environments” rather than build “security” on top of “cloud environments”.
What is your security offering and how does it improve the security posture in the cloud?
Polyverse’s security offering is built on the 3rd approach I discuss above – which is to make security fail-safe by requiring zero-trust in anything at all. We have two main offerings – one is to protect the entire Linux stack across any distribution, and it protects against 70% of the attack area by assuming no code is trustworthy, no scanning is trustworthy, no promises are trustworthy. With this zero-trust basis, Polyverse pivots from having to “trust” any single entity for being always-correct into the customers hands where they don’t rely on trusting anyone except for themselves.
How will the market change in 2021, i.e. what security challenges do you foresee?
I think the security market is going to grow in 2021 but not fundamentally change shape or form. There was a lot of change and lessons learned in 2020 that I believe we’re all going to need some time to fully internalize. We saw the massive SoldWinds attack putting into question our supply chain integrity. We saw the birth of the Open Source Security Foundation (OpenSSF) to help Open Source projects be secure better. We saw the rise of ZeroTrust mindset as we were forced to go distributed.
The sparks of change were laid in 2020. 2021 will see these become mature, adopted, with some stumbles along the way and going mainstream.
The interviews was conducted by Friederike Zelke
Archis Gore, CTO of Polyverse, his current mission is “to solve cybersecurity.” As CTO, Archis leads the R&D team focused on finding solutions to cybersecurity problems that work in context of where the world is today, are immediately effective, simple to implement and deploy at any scale.
Prior to Polyverse, Archis was on Amazon’s Retail Search Experience team. He worked in operations, owning latency, a large-scale service migration to a serverless platform before serverless was a word. He holds a patent for measuring human-perceived latency of web pages. He also worked in Q4 capacity and reliability planning, running Thanksgiving weekend operations, the busiest period for Amazon. It was there that he noticed a gap in operational cybersecurity, namely security that is easily implemented, effective immediately, and automated at a very large scale.
Archis began his technology career with the Code4Bill (Gates) competition, selected as one of the top 20 student technologists out of India from amongst 150K competitors. During his internship at Microsoft he filed his first patent for a phonetic search algorithm for finding similar-sounding words at constant-cost. He also worked on the Windows Mobile version of Live Mesh. Archis holds a master’s degree in Computer Science from the University of Pune, where most of his collegiate work was focused on finding practical solutions to intractable problems. Archis is an accomplished exploration diver, having found a few undocumented shipwrecks. He plays Indian classical music, loves ballroom dancing, and enjoys cooking and baking.