As public clouds supersede the datacenter for our customers, it's not enough to represent just one facet of a general trend toward the dissolution of traditional perimeters. This trend requires a novel and comprehensive suite of controls around identity, configuration management, and endpoints, which represent the new attack surface. Ermetic provides crucial analysis of these modern infrastructure fixtures which is essential to delivering robust managed security to our customers.
To launch our partnership with Ermetic, we talk to Arick Goomanovsky, Co-founder & CBO of Ermetic and David Emerson, CTO of SolCyber about the impact of cloud security for the modern business and why Ermetic was a clear partner of choice for SolCyber.
Provide us with an overview on what Ermetic | SolCyber does?
Arick: Ermetic is a comprehensive cloud security platform for AWS, Azure and GCP that enables you to proactively reduce your attack surface, detect threats and reduce your blast radius in case of a breach. Ermetic’s holistic cloud security solution enables comprehensive risk assessment across the entire security stack – from full asset discovery and deep risk visualization, prioritization and remediation to anomaly detection and compliance audit.
David: SolCyber is a modern managed security provider focused on providing businesses with top tier cybersecurity capabilities they would otherwise be challenged to build and maintain. We package organizational, technological, and policy assets together in a cohesive program available to our customers at a transparent fee per user. Ermetic is an identity centric cloud infrastructure visibility and security program, and the one SolCyber selected to provision at our customers with public cloud infrastructure.
Provide us with a short description of your role at Ermetic | SolCyber?
Arick: I’m a co-founder serving as CBO at Ermetic. Shai Morag (the CEO) and I have known each other since we were teenagers and we always talked about one day starting a company together. When we finally got the chance a few years ago, our first investors introduced us right away to Sivan Krigsman (CPO) and Michael Dolinsky (CTO). Sivan and Michael brought with them many years of proven technical expertise from Microsoft and various other companies, so it was a natural fit for the four of us to join forces and divide the management responsibilities. I took on the go-to-market organization and built it from the ground up including our sales team, business development, sales engineers, customer success, as well as channels and alliances. Slowly, over time, we’ve brought in talented leaders to head each area and keep it all running smoothly.
David: I am CTO at SolCyber, and my team operates the Security Operations Center, provides customer onboarding and support services, and builds integrations between the products we offer to customers as managed services.
How important is cloud security for smaller businesses?
Arick: Cloud security is hugely important for small businesses, even more so these days when the majority of them are being built in the cloud from the beginning. It doesn’t make financial sense for small businesses to attempt to host their own IT infrastructure and services on premise when the cloud offers a robust selection of nearly plug-and-play services, including security…at a fraction of the cost. This enables small businesses to enjoy the benefits of sophisticated applications and services that only enterprises could afford when everything had to be on-premise.
But working in the cloud and relying on cloud applications and services for so many business processes doesn’t mean that the obligation to secure data and resources just disappears. Cloud providers all work with a shared responsibility model, and for small businesses, MSSPs can add that additional layer of security protection and ensure that small businesses can have the best of both worlds - a high level of security while enjoying the flexible and dynamic nature of cloud.
Do smaller companies face different cloud challenges?
Arick: On the surface, it looks like the cloud makes life simpler and easier for businesses. But along with the value, it also brings complexity. For small businesses, it’s more difficult to learn the ins and outs of the many security risks around every application and service they use. Even enterprises struggle with this; but the difference is that big companies can build dedicated teams to focus on the security issues. Small businesses have to find ways to balance their requirements with the tools they need and the oversight it requires. This is where security service providers specializing in cloud applications come in. They can often fill the gap for small businesses.
What are common mistakes you see, when customers look for a cloud security solution?
Arick: The most common mistake we see as customers prepare for and move to the cloud is not properly understanding the shared responsibility model. Every cloud provider works with its own shared responsibility model meaning there are aspects the cloud provider is fully responsible for, and aspects that the customer is fully responsible for. Many customers do not realize that these cloud providers are not responsible for securing identities, applications and data, and that more than a little management and governance is required. It’s also a misconception that native, built-in tools are “enough.”
Cloud providers all come with various levels of protection built in, but customers need to keep their own best interests front of mind and realize that what they need and require is most likely beyond the scope of what comes prepackaged in the solutions. That doesn’t mean the solution isn’t good; it means that customers need to make sure they find the right mix of tools and solutions to cover all their security needs. Another mistake we often see is underestimating the skills gap. Sometimes companies will invest so many resources into researching and purchasing a new fancy security solution without ensuring the technical know-how and manpower to manage it. Security solutions can do many things and relieve many worries, but they cannot manage themselves.
It’s important to make sure there’s someone in-house with the skills to keep everything in line, or to look to solutions offered by MSSPs who can help find the right solution set and help deploy, operate and maintain it to compensate for any gaps as a company scales out.
Most startups build their product and services off a cloud provider. What are the biggest risks they'll face in terms of security?
David: Sprawl is the single biggest security risk when operating in any public cloud. Sprawl takes many forms, it’s not merely extraneous EC2 instances or Lambdas, for example, but can include configurations, roles, permissions, and policies. The surface area of even the most modest public cloud infrastructures today can be truly staggering, and some of that surface is subject to attack. Maintaining a sense of scope and some ability to link the identities of the privileged with the actions considered nominal for their roles is absolutely crucial to the successful maintenance of sprawl, and the mitigation of attack surface.
Why is visibility and protection of identities so important for the cloud? Is this why Ermetic was an obvious partnership choice?
David: Ermetic supports the cloud platforms our customers use and provides the visibility we require to analyze inventories and administrative activities for anomalies. There are other products in the same space with similar claims, but none as broadly compatible as Ermetic while maintaining functionality in a service provider commercial paradigm.
Where do you see the importance of cloud security in the future?
Arick: Cloud is the future, so cloud security will continue to be increasingly important. More and more business processes are moving to the cloud - the COVID pandemic only accelerated that shift. Mid-sized organizations must be no less strategic about cloud security than the big guys. They should prioritize protecting cloud data and identities, continuously seeking out a mix of solutions and services that rise to meet their unique needs, close cloud security and knowledge gaps, and relieve the toll on teams.
David: We’ve transitioned from cloud being a forward-thinking infrastructure to cloud as-a-default for many businesses, even those who don’t fully understand (or need to understand) the implications of such an architectural decision. Law firms, regional banks, hospitals, real estate agencies, and small manufacturing concerns are all, today, spinning up their first infrastructures in the cloud, bypassing entirely the “on-premise” paradigm. This is not to be feared – the public cloud holds many advantages for the medium and small enterprise, especially where that enterprise does not naturally count technology administration among its core business competencies. I see the shift to the public cloud among our customers as healthy and inevitable, and I also see this trend securing the future of competent products which pragmatically manage the risks of the cloud while maintaining its elasticity and abstraction benefits.
If you're considering identity-first cloud security as part of a managed security solution, talk to us about how we can help.