Without question, public cloud providers have made the deployment of applications and services simpler than ever. But while complexity has never been easier, security has never been more difficult.
FireMon’s 2020 State of Hybrid Cloud Security Report found respondents aren’t making much headway against the rapid rise of public cloud adoption. Visibility remains a challenge and organizations still struggle for clarity around shared responsibility for public cloud security.
Hybrid cloud growth is outpacing the ability to secure it
Almost 60 percent of respondents agree or strongly agree that deployment of business services in the cloud has accelerated past their ability to secure them adequately in a timely manner. This number is unchanged since last year, so there’s been no progress on this front. With public cloud adoption growing, it could be argued that ground has been lost.
Why does cloud security remain a challenge? The increasing complexity and sheer scale of hybrid cloud environments have become so easy to scale up that many nuances and security configuration aspects are overlooked in the process. IT and security teams need to collaborate better to prevent serious gaps in cloud security.
Complexity keeps pressure on security professionals to keep up with cloud growth
As adoption of public cloud increases, the need for better clarity on who’s responsible for security increases. There’s an inverse correlation between complexity and visibility, which raises the likelihood of misconfigurations. Misconfigurations, in turn, raise the likelihood of compliance failures.
To solve the complexity problem, we need to understand how it manifests within an organization.
Cloud complexity emerges because public cloud configuration isn’t automatically linked to firewall policy configuration. Public cloud configuration and firewall configuration both determine permissions around data, applications, and user activity, but they are treated as two separate activities. Yet, just like firewalls, public cloud instances accumulate unused and redundant rules. As multiple clouds are connected to the infrastructure and complexity mounts, these zombie rules pile up, causing conflicts and leaving security gaps.
Missing information leads to misconfigurations
A lack of alignment between cloud configuration and overall security policy happens because people aren’t speaking the same language — even though everyone is talking about the same thing.
Assumptions are made about who’s securing what in the public cloud. Business users trust public cloud providers to have all essential security baked in and that all cloud providers handle security the same way. The reality is different.
Poor communications add more stress to the security team’s load because they can’t get all the information they need. They are asked to enable applications on short deadlines without specifics about how the apps should be secured, so they hastily create security policies they hope will serve the needs of the business. But while those policies may be the best possible based on the information available at the time, they won’t be the absolute best because the information they were based on was not complete. Missing information results in misconfigurations that erode compliance and open the door for hackers using automated tools to search the internet for this type of vulnerability.
Security teams always need to know more. They need visibility into each cloud instance. They need to know how AWS, Azure, Google, and niche cloud platforms are secured. But they can’t realistically know all these things.
Alignment, empowerment, and automation are essential
Because every public cloud is configured differently, either security professionals must be in the loop when any new instance is adopted or business users must be empowered with the knowledge to securely deploy these applications themselves. Those options each depend on human actions, which we know to be inconsistent and imperfect.
A more reliable and comprehensive approach is to establish a clear understanding of who is responsible for which security activities right from the start of the process by automating the application of a global security policy to the greatest extent possible. Every deployment should be guided by a centralized policy guideline that promotes best practice cloud security implementation.
How visibility enables secure cloud management
Security efforts in the hybrid enterprise need to focus on knowing where data resides, who can access it, and what controls are in place to govern that access. This is the challenge of visibility.
Visibility enables the creation of solid security policies around applications or resources by providing complete on what is happening within the infrastructure. Visibility also supports compliance by making known the requirements relevant to an application and its impact on security configuration controls before deployment.
Visibility should be real-time and holistic in in order to support a successful cloud management strategy, The types of information gained should include:
- Application tracking
- Continuous risk assessment
- Inventories of cloud applications
- Number of VM instances
- Amount of compute
- Storage requirements
- Performance levels
- Effectiveness of security controls
With this information, organizations can ramp up hybrid, public, and multi-cloud deployments at a rapid rate without struggling to fully secure their increasingly complex environments.
Don’t fear complexity, but keep security and compliance aligned
Regardless of where data resides — on-premise, in the public cloud, or in a hyper–converged data center — security and compliance must evolve to stay aligned with the business.
Creating complexity is always going to be easy because public cloud platforms are so simple to scale up as part of a hybrid cloud environment. Rather than trying to fight this inevitable ease of complexity, organizations must put the right people and tools in place, so best practices and security controls are automatically woven into cloud-first strategies.