How to Mitigate Cloud Security Risks: Exclusive with Qualys’s Pinkesh Shah

Why Trust Techopedia

The recent Qualys Cybersecurity Conference in London brought together professionals from around the globe to tackle the ever-present challenge of protecting data in the cloud.

As organizations increasingly migrate their operations to cloud environments, the need to harden cloud infrastructures becomes paramount.

This year’s Qualys cybersecurity conference tackled a vital yet often underestimated challenge: how to assess, communicate, and mitigate security vulnerabilities in cloud environments.

In this exclusive sitdown interview, Techopedia speaks with Pinkesh Shah, Chief Product Officer at Qualys. Shah, a veteran of the cybersecurity industry, offers insights gleaned from the conference and delves into how organizations should approach cloud security risk management.

He talks to Techopedia’s Franklin Okeke on how artificial intelligence (AI) can help enterprises gain a clearer picture of their security posture, bridge communication gaps between IT and business leaders, and achieve a more proactive approach to mitigating threats.

About Pinkesh Shah

About Pinkesh Shah

Pinkesh Shah is a seasoned professional in the cybersecurity industry with a career spanning over two decades. He currently serves as the Chief Product Officer at Qualys, where he oversees product design, marketing, and all product teams. His experience is marked by his contribution to launching category-defining cybersecurity products.

Advertisements

Prior to Qualys, Shah held significant roles in several renowned companies. He was the Global Head of Products at McAfee for the Risk and Compliance business unit. He also worked with Exabeam in the Security Information and Event Management (SIM) space, and with Beyond Trust in the identity security space.

Shah also holds significant board memberships in many organizations, including Zapilio, the Institute of Product Leadership, and Ergode.

Key Takeaways

  • Vulnerability overload, misconfigurations, and digital footprints across cloud environments make AI essential in de-risking the cloud.
  • While patching is one approach to eliminate risk, it is not always the best answer. Organizations should consider other remediation options and balance risk reduction with business continuity based on factors like asset criticality.
  • Effective communication of risk context and prescriptive guidance is essential for IT operations and business leaders.
  • A holistic, data-driven approach with AI is necessary to identify, communicate, and address critical cloud security risks.
  • AI has its risks, but AI-powered risk insights can help uncover high-risk scenarios and prioritize remediation across cloud and SaaS.

Patching is Good, but There is More to De-risking Our Cloud Environment

Q: Qualys themed this conference around “Measure, Communicate, and Eliminate Your Cyber Risk.” Can you elaborate on why these three elements are so crucial for de-risking the cloud?

A: We believe the core of every cloud security and compliance platform revolves around this concept of “Measure, Communicate, and Eliminate Your Cyber Risk”. Let’s unpack why each of these aspects is crucial for cloud security.

First, we focus on measuring true risk. Traditional methods simply count vulnerabilities, which can overwhelm security teams, but this shouldn’t be the case.

There should be an algorithm to filter vulnerabilities based on real-world impact, not just the number. This helps prioritize what truly matters and avoid chasing after vulnerabilities that might not be critical.

Imagine finding 2.8 billion vulnerabilities across your entire network! That sounds terrifying, but Qualys can show you that only a tiny fraction, perhaps just 7%, actually pose a serious risk. This lets you focus your efforts on fixing the most impactful issues.

The second part is communicating that risk. The reason why these risks, which are found, never get fixed in time is because the context is missing on the other side, on the IT operations side, who are supposed to be fixing this.

When you go over the wall and tell them, ‘hey, go fix these 15,000 things’, they don’t have time and they don’t have the context.

So communicating why that is, the reasoning and the context, and giving them prescriptive guidance on how to fix it is a very important aspect of the communication to the IT Ops. But there’s also communication to CISOs who need to communicate cybersecurity ROI [return on investment] to CEOs and boards.

Finally, we move from identifying risk to eliminating it. Patching is one approach, but it’s not always the answer. Sometimes, other remediation strategies are more appropriate. For instance,  we might recommend verifying that a specific antivirus rule set is active instead of patching a machine right away. This balances risk reduction with maintaining business continuity. The ideal solution considers asset criticality.

Patching a CFO’s laptop with sensitive data is more urgent than patching a random employee’s machine.

So cloud platforms should strive to provide a Google Maps approach to risk elimination. Just like Google Maps gives you different routes to your destination, we should offer multiple options for fixing a risk. There might be a fast way, a cheap way, or an efficient way, and you can choose what works best for your specific situation. This balance between risk reduction and business needs is what truly sets our platform apart.

Misconfigurations and Digital Footprint Overload Mar the Cloud

Q: AI tools are not safe in themselves as they can also bring their own vulnerabilities. So what potential vulnerabilities could arise from using those AI tools in the cloud? How can organizations ensure these vulnerabilities do not occur?

A: When it comes to vulnerability management and risk management, the key is to look at the desired outcome and use case. The average time for an organization to patch a known vulnerability after an exploit is available is around 45 days.

However, the time for that vulnerability to be weaponized is only around 20 days. This leaves a huge window of exposure.

The core issue is not necessarily AI itself, but rather the sheer volume of vulnerabilities, misconfigurations, and the explosion of digital footprints across operating systems, applications, cloud environments and multiple attack surfaces.

AI becomes vital to prioritize which vulnerabilities from the thousands identified actually pose a material risk in a given environment.

To mitigate AI vulnerabilities, organizations should implement rigorous testing, validation and monitoring of their AI systems.

Having strong data governance and AI ethics principles is also crucial. However, the bigger need is using AI to cut through the vulnerability overload and highlight the true risks that require prioritized remediation.

Vulnerabilities from On-premises Can also Infect the Cloud

Q: Statistics show that more companies are moving workloads to the cloud. What are the main security risks they need to consider in their journey?

A: When migrating to the cloud, organizations face a multitude of security risks that can be categorized into three main areas. Firstly, the vulnerabilities and misconfigurations that existed in their on-premises infrastructure do not simply disappear; instead, they are shifted to the cloud environment.

Secondly, the cloud introduces a new set of native vulnerabilities that organizations must address, such as misconfigured S3 buckets, open ports, and forgotten or unmanaged virtual machines spun up during development or testing but never properly decommissioned. These cloud-native risks expand the attack surface and provide new vectors for potential exploitation.

Again, organizations increasingly rely on software-as-a-service (SaaS) applications like Box, Slack, Zoom, and Office 365, which reside in the cloud and introduce another layer of risk. Sensitive data and permissions within these applications may be mismanaged, leaving organizations vulnerable to data breaches or unauthorized access.

Therefore, organizations must have a unified view of risk across their on-premises infrastructure, cloud-native resources, and SaaS applications to secure their entire technology stack.

Securing Your Cloud Journey: Key Steps to Take

Q: What steps can organizations take to mitigate these cloud security risks?

A: To mitigate the security risks associated with cloud adoption, organizations should implement several best practices.

Firstly, they must ensure proper configuration and hardening of all virtual machines, as a single vulnerability can be easily propagated across hundreds or thousands of instances. Secondly, organizations must identify, classify, and protect sensitive data like personally identifiable information (PII) and protected health information (PHI) stored in their cloud environments, as this data may be publicly accessible due to misconfigurations.

In addition to that, organizations should maintain secure “golden images” and code configurations used to spawn cloud instances, as vulnerabilities in these templates can lead to widespread exposure.

Leveraging security benchmarks and regulatory frameworks like CIS, CSA, NIST, PCI, and ISO 27001 can help organizations assess their overall cloud security posture and identify areas of non-compliance, which can result in fines, legal issues, and reputational damage.

Finally, adopting AI-powered risk insights can enable organizations identify and prioritize the remediation of toxic combinations of vulnerabilities across their cloud and SaaS applications. These AI-driven insights can uncover high-risk scenarios that may go unnoticed through traditional vulnerability management approaches.

NCSC Compliance Goes Beyond Simply Running a One-time Assessment

Q: Qualys is offering a 30-day free access to its risk management platform. Some may see this as just a marketing gimmick. Beyond the 30 days, how else are you helping customers meet security guidelines like those from NCSC?

A: The 30-day free access is specifically aimed at helping both Qualys and non-Qualys customers meet the UK NCSC’s guidelines around managing vulnerabilities in internet-exposed assets and systems. It provides a preconfigured NCSC dashboard along with vulnerability management, external attack surface monitoring, and patch management capabilities.

While it allows customers to experience the value first-hand, the goal goes beyond just marketing. If customers want to extend it after 30 days, most vendors are open to discussing paid options.

However, vendors’ core way of helping clients meet guidelines like NCSC’s is by offering comprehensive risk management platforms and services. This includes unified risk visibility across on-prem, cloud, and SaaS applications. Automated compliance monitoring against standards like CIS benchmarks is also crucial. And this is exactly what we intend to do with the platform.

The Bottom Line

De-risking the cloud is a topic that has birthed many discussions. However, one thing is sure: managing the growing cyber risks associated with cloud and AI adoption requires a multifaceted approach.

As Shah of Qualys pointed out, this includes fortifying cloud infrastructure and applications, gaining a holistic view of potential threats across all environments, and utilizing AI to prioritize the vulnerabilities that pose the greatest risk within their specific context.

Furthermore, leveraging industry benchmarks and compliance frameworks for measurement will also help organizations create a data-driven approach to cloud security. This comprehensive strategy, with AI acting as a key driver in transforming security data into actionable intelligence, allows organizations to identify, communicate, and address their most critical cloud security vulnerabilities.

Advertisements

Related Reading

Related Terms

Advertisements
Franklin Okeke
Technology Journalist
Franklin Okeke
Technology Journalist

Franklin Okeke is an author and tech journalist with over seven years of IT experience. Coming from a software development background, his writing spans cybersecurity, AI, cloud computing, IoT, and software development. In addition to pursuing a Master's degree in Cybersecurity & Human Factors from Bournemouth University, Franklin has two published books and four academic papers to his name. His writing has been featured in tech publications such as TechRepublic, The Register, Computing, TechInformed, Moonlock and other top technology publications. When he is not reading or writing, Franklin trains at a boxing gym and plays the piano.