Cloud computing has security issues. The problem is underscored by the complexity of cloud and the lack of visibility into what’s happening with workloads inside software containers that host the components of modern applications.

Securing the cloud is a never-ending game of cat and mouse with sophisticated criminals in an expanding attack surface that has leaped off-premises into the cloud, expanded to multiple public clouds, reembraced on-prem, and reached out to the edge in the past 15 years.

Now, according to analysts, the next era of cloud is dawning: the supercloud.

“Security has the most difficult job in the cloud, especially supercloud,” said Piyush Sharrma (pictured, right), founder and chief executive officer of Accurics, acquired by Tenable Inc. “[They] are managing something or securing something that they can’t govern.”

Sharma; Gee Rittenhouse (center), CEO of Skyhigh Security (Musarubra US LLC); and Tony Kueh, (left), investor and former vice president of products at VMware Inc., joined theCUBE industry analysts John Furrier and Dave Vellante at Supercloud 22, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. During a session on “Securing the Supercloud,” they discussed how to build a cohesive security strategy in an environment that spans multiple clouds.

Supercloud will lead to superhackers

DevOps has become DevSecOps as security shifts left to become a primary consideration for software engineers rather than a post-production afterthought. Developers are the ones with the power to create, define and destroy in the cloud, and security is left watching and responding as fast as possible to threats.

The major cloud providers have built their own security frameworks, which work within their own environment. The problem with supercloud is that it’s not limited to one cloud, and there is no easy way to integrate standards across clouds, according to Rittenhouse.

“So, all of that is left to the developer who is throwing out code as fast as they can,” he said.

It’s an untenable position. And to make matter worse, as enterprise has shifted security left so the criminals have also moved the focus of their attack to earlier in the pipeline.

“They have started attacking your source code, impersonating the codes, replacing the binary, finding what limit is there,” said Sharrma, referring to this new breed of cyber criminals as “superhackers.”

Today’s chief information security officers need an understanding of how clouds work, and the dependency of clouds on the business that they serve, according to Rittenhouse. “There’s a coherence across these systems that a CISO has to think about,” he said.

These are not only the cloud boundaries, but the trust boundaries that exist within virtualized environments. A classic example is visibility, where a security team needs a clear map of the business’ assets and dependencies, plus maintaining compliance and adhering to regulatory requirements where necessary.

Why not just implement zero trust?

A zero-trust framework can be implemented around access, with users required to build up trust levels before they are given increased privileges and access within applications. This is essentially the same as trust brokering within a supply chain, according to Rittenhouse.

The problem with implementing a zero-trust framework on supercloud is that supercloud is an architectural shift. This level of change would traditionally mean building an operating system, according to Kueh.

But to build an OS, you need a scheduler, process handler, process isolation, memory, storage, compute, “all that together,” he said. With cloud, these components are spread out across the internet, meaning that the security model is missing a supercloud OS.

“So, if you don’t even have an operating system how do you implement security?” Kueh asked. “That’s the pain, because today it’s a one-off direct link from service to service.”

One major shift that security has to make is to move away from focusing on “that shiny object, a particular solution to a particular threat,” Rittenhouse said.

When it comes to cloud, and especially supercloud, the number of threats multiples to the point where chasing them individually is impossible. This can only be solved through “a finite number of platform-type solutions that are trying to solve this on behalf of the customer,” he said.

Experts say supercloud security requires a framework

Building a secure supercloud will require an ecosystem effort, the experts agreed. Sharrma suggested creating a consortium to build a framework that defines exact operational parameters within a supercloud. This would create a pattern that could be followed regardless of location. “Otherwise, security is going everywhere,” he said.

Rittenhouse sees the framework coalescing around more of a business model, while Kueh believes that history will repeat itself, with the industry embracing and extending a set of standards as it did with the Internet Engineering Task Force.

“At that time, the largest and most innovative vendors understood that they couldn’t do it by themselves,” he said. “So I think what we need is a mindset where these big guys … collaborate with the ecosystem around a set of standards so that they can bring their differentiation and then embrace everybody together.”

Interestingly, the day after this conversation on “Securing the Supercloud,” the Open Cybersecurity Schema Framework was announced, with Amazon Web Services Inc., Splunk Inc., Salesforce Inc., IBM Corp., Cloudflare Inc. and CrowdStrike Holdings Inc. among the supporters.

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the Supercloud 22 event:

Photo: SiliconANGLE