I’ve been doing cloud and cloud security for almost ten years now, and I’ve seen a lot of issues. While a handful of companies have invested massively in this space, most struggle to stay ahead. Security teams are overwhelmed, and few have dedicated cloud security resources. Developers are irritated with Security when given a twelve-thousand-line spreadsheet of problems to fix. We cannot blindly adopt outside frameworks and assume they meaningfully measure our risk.
I’m going to focus on cloud security consulting and training with my company PrimeHarbor Technologies. My primary goal here is to help solve cloud security challenges. As I considered this move, someone told me, “figure out your positioning statement”. I think “Solving your cloud security challenges at their source” best encompasses what I want to do.
The ultimate shift-left security flex is to educate and
empower developers and engineers
If we envision the shift-left paradigm, cloud security issues arise when a developer or engineer drops
"s3:*" into a policy document or opens a security group to 0.0.0.0/0 because they don’t have a better way to access resources. Part of this is user education. The Cloud is Dark and full of Terrors, but that’s not something you’ll hear from the major providers. So it’s incumbent on us in security to embrace and educate the cloud community.
PrimeHarbor will focus on two places:
- Helping companies or departments understand their cloud security program and posture; and
- Educating developers and engineers on how to secure their cloud applications and why they need to.
We want to work both with security teams, but also technology leaders. For example, running an assessment of a department can be just as valuable to an engineering leader as an engagement assessing an entire company.
Our third pillar will be open-source projects and other educational tools to help security and the development community they serve to understand meaningful cloud security risk. It’s time we democratize cloud security for small and medium-sized businesses. I’m not ready to announce those projects, but they’ll start spinning up shortly.
Ultimately, open source is a critical component of democratizing cloud security. Unfortunately, not every company can afford Wiz or Prisma. That’s why I’m still supportive of Steampipe and the Steampipe community. We need more tools that can be the glue between tools and cut through the challenges of multi-cloud and issues with visibility.
Do you want to solve your cloud security challenges? Drop me a line.