By Matt Chiodi, Chief Security Officer, Public Cloud, Palo Alto Networks\n\nOne of the most common misconceptions among organizations entering a cloud transformation journey is the belief that securing workloads in the cloud is the same as securing workloads on-premises. In reality, that\u2019s just not the case.\n\nOne of the first keys to building a successful cloud security strategy involves the realization that the cloud requires a fundamentally different approach from on-premises security. Organizations cannot, and should not, be securing cloud workloads the same way they were secured on-premises. On-premises security is typically reactive and largely driven by manual processes. In the cloud, with the speed of DevOps and cloud native development, it isn\u2019t possible to do things manually\u2014or leave security as a last step\u2014and be secure. Additionally, some executives assume that moving to the cloud equates to automatically gaining automation. Unfortunately, that is not true either. You need to build in automation yourself, especially from a security perspective. An important part of any successful strategy is overcoming these common myths.\n\nIdentity Security in the Cloud\n\nThe recently released Cloud Threat Report, 2H 2020 from Unit 42, the threat research division at Palo Alto Networks, outlined a number of different risks and common security issues for cloud workloads. Among the high-level findings in the report is that cloud identity flaws are both difficult to detect and highly impactful. Identity is all about verifying who a given user is and providing the appropriate level of authorized access\u2014but what happens when an attacker is able to abuse an identity due to a misconfiguration? Unit 42 carried out a Red Team exercise on behalf of a customer and, in less than a week, was able to completely compromise the customer\u2019s entire cloud environment. The team did this by exploiting a misconfigured identity and access management (IAM) trust policy. With a misconfigured IAM policy, an attacker could get access to the proverbial keys to the kingdom for an organization\u2019s cloud assets. The attacker could then do any number of things against the organization, including stealing sensitive data or even wiping out the cloud infrastructure.\n\nThe Big Cloud 5 Holistic Cloud Security Strategy\n\nCertainly, automation is a key part of building a successful cloud strategy, as is the need to manage IAM policies. Looking beyond just these two tactical elements, organizations should consider what we call the Big Cloud 5, which outline the elements that enable a holistic cloud strategy.\n\nTaking a \u201cDefault: Aggressive\u201d Posture in Cloud Security\n\nBeing secure in the cloud is not about taking a passive stance. After all, security for your workloads is up to you, not the cloud provider.\n\nA principle known as Default: Aggressive was defined by former US Navy SEAL officers Jocko Willink and Leif Babin. The Default: Aggressive approach is all about taking a confident, independent, and proactive default approach to real-time challenges.\n\nI see the Default: Aggressive mentality as very similar to the mindset of Assume Breach, where security professionals assume that their environment has already been exploited. Don\u2019t take the stance that, just because your team has ticked the boxes on a few cloud service provider-delivered security capabilities, all cloud workloads are OK. Rather, assume and take a Default: Aggressive stance to begin with.\n\nPart of a Default: Aggressive stance is having a holistic strategy as well as making sure you have automated as much of your security tooling and response as possible.\n\nMeasuring Success with Shared Metrics\n\nHaving the right metrics to help benchmark and gauge cloud workload deployment security is another key to success.\n\nWhat\u2019s critical, though, is bringing DevOps and security teams together to come up with shared metrics for cloud workloads. Typically, DevOps teams have one set of metrics that may well be more focused on availability and resilience, whereas security teams tend to look at vulnerability-related issues.\n\nFor an organization to really develop a DevSecOps culture that enables a successful cloud security strategy, it is important to have shared metrics that measure developer, operations, and security key performance indicators.\n\nBuilding a Strong Foundation for the Future\n\nThe reality today is that the cloud is more important than ever\u2014which is why it\u2019s paramount to have the right foundation in place for cloud security success.\n\nThe 2020 State of Cloud Native Security report by Palo Alto Networks surveyed about 3,000 practitioners worldwide. We found that, in 2020, 46% of organizational workloads were already in the cloud. Over the next two years, we expect that to rise to 64%. With the ongoing pandemic, we expect the adoption figure to actually be even higher in our 2021 study. In a tight business environment, the cloud gives organizations the ability to be agile and to respond more quickly to competitive threats.\n\nAs organizations accelerate their migration to the cloud, they need to remember that the cloud is not the same as on-premises and that, to enable cloud security success, there is a clear need to embrace and implement automation as part of a holistic strategy.\n\nFor more expert advisory and insights on the issues shaping cybersecurity today, visit Palo Alto Networks CXO Perspectives. \n\n About Matt Chiodi:\n\nMatt has nearly two decades of security leadership experience and is currently the Chief Security Officer of Public Cloud at Palo Alto Networks. He works with organizations to develop and implement security strategy for public cloud adoption and maturity. He does this through advisory meetings with clients, frequent blogging and speaking at industry events such as RSA. He currently leads the Unit 42 Cloud Threat team which is an elite group of security researchers exclusively focused on public cloud concerns. Chiodi has served on the board of various non-profits including Board VP and Governor of Philadelphia\u2019s InfraGard. He is currently on faculty at IANS Research.