We talked with Henrique Vaz, Co-founder and CEO at CleanCloud about cloud compliance and the shared responsibility of cloud security.
1. How did you end up working in the cloud security field? Why this and not another area in cybersecurity?
Back when we started CleanCloud, we were developing a cloud management product. After a few years, in early 2019, we saw the increased value that customers put in cloud security with enterprises moving to the cloud. Also, we saw data privacy becoming increasingly important for customers of all sizes, with data privacy regulations coming out from different countries. That was back in late 2018, when we pivoted to a cloud security product and created CleanCloud Score.
So, I could say that I got into this field by accident, but I’m loving it.
2. In simple words, how does your main product, CleanCloud Score works?
When we pivoted to cloud security, we created CleanCloud Score – a cloud security posture management, a CSPM product that makes over 300 verifications for the main compliance regulations, including those related to data protection, like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act). This product is integrated to the three largest clouds, AWS, Azure and Google Cloud.
3. Name a few of the most critical cloud computing challenges of today.
Since 2020, companies have accelerated their movement into the cloud. Products, not just for cloud security but for cloud in general, are becoming mandatory because now companies have many of services and dozens of users.
As the cloud gets bigger and wider used, we need to create more complex features. For example, if you have an AWS cloud with two linked accounts on three regions each, and ten services, you would need to look into 60 places to be complied with a compliance framework or regulation. If you have two cloud providers, the number will double, and so on.
You can imagine how long it would take to do it manually, so the first thing is the need of some cloud security products to find and fix quick wins – critical vulnerabilities that can be fixed with a small effort.
Another critical challenge is the creation of a culture in which all cloud users are responsible for the cloud security, not just the cybersecurity team. With hundreds or thousands of services in the cloud the DevOps must become a DevSecOps, meaning they will also be responsible for the implementation of the best cybersecurity controls and practices, not just the infrastructure.
4. Give us some examples of potential risks in the absence of a cloud security solution.
The perfect example is a breach caused by the lack of visualization. You can have critical vulnerabilities like a database or storage service with personal data or data that is critical to your business that is unsecured or unencrypted. It’s almost impossible to make sure that all services are duly configured with all the complexities I mentioned before without a cloud security product.
5. Did you see an increase in cloud security awareness since the pandemic?
Definitely. Since companies have moved so rapidly into the cloud, they also have more critical information, whether it’s personal data or business information. Because of that, the compliance level is totally different from the one from two or three years ago, where there were mainly development instances on the cloud.
And again, as a society, we have started living much more online. That made us all more aware of cybersecurity; and, on the other hand, we are seeing data breaches and attacks on many companies.
You look at that and think: ‘if this is happening to them, I need to look inside and make sure it’s not going to happen to me as well.’
6. Can you share 2 or 3 of your cybersecurity habits?
The first is usage of secure passwords. I strongly recommend having a password vault for all the accounts – one needs to remember one password and won’t use the same password.
The second is the use of MFA (multi-factor authentication). I know it can be a pain sometimes, but at the end of the day, you feel pretty safe when there is a breach on an account you have.
7. What is your company preparing for the future?
We’re developing a lot of new things. One of them is real-time checks. Today, the customer decides the periodicity of checks, whether daily, weekly, etc. In a few weeks it will also have the chance to have real-time checks for critical vulnerabilities.
The second one is automation, using infrastructure as a code. CleanCloud doesn’t need any permission to write on their customers’ cloud, but we create a script where the customers, with a few clicks, can fix a vulnerability. We know there are a lot of open positions on cloud security. This product should help companies even with a few missing pieces to continually improve their cloud.
There are other things later in 2022, like serverless checks and a shift-left module, but I don’t want to give too many spoilers here.