Without question, public cloud providers have made the deployment of applications and services simpler than ever. To wit, I like to say; “Complexity has never been easier, which makes security increasingly difficult.”
FireMon’s 2020 State of Hybrid Cloud Security Report found respondents aren’t making much headway against the rapid rise of public cloud adoption. Visibility remains a challenge and organizations still struggle for clarity around shared responsibility for public cloud security.
Increasing complexity and sheer scale of hybrid cloud environments remain a challenge, with almost 60 percent of respondents agreeing or strongly agreeing that deployment of business services in the cloud has accelerated past their ability to adequately secure them in a timely manner. This number is unchanged compared to last year, so there’s been no progress on this front. With public cloud adoption growing, it could be argued that ground has been lost.
This year’s survey echoes themes in the 2019 report: Organizations are ramping up hybrid, public and multi-cloud deployments at a rapid rate, but struggle to fully secure these increasingly complex environments.
Hybrid cloud growth outpaces the ability to secure it
Complexity remains a challenge because even though it’s so easy to scale up hybrid clouds as business users adopt public cloud services, many nuances and security configuration aspects must be considered. Without the collaboration of IT and security, serious gaps in security are inadvertently overlooked.
Increased adoption of public cloud further magnifies the need for better clarity as to who’s responsible for security. Increased complexity reduces visibility, raises the likelihood of misconfiguration and in turn, compliance failures raise that risk to unacceptable levels. If we’re to solve the complexity problem, we need to understand how it manifests within the organization.
Complexity rears its ugly head because public cloud configuration isn’t automatically linked to firewall policy configuration. Even though both determine permissions around data, applications and user activity, one is called cloud configuration, the other is called security configuration. But just like firewalls, public cloud instances also accumulate unused, redundant rules. With multiple clouds in play, these add up. Ta–da, you’ve got more complexity, and a lack of alignment between cloud configuration and overall security policy because people aren’t speaking the same language – even though everyone is talking about the same thing. This begs the real question: Are those responsible for cloud deployments guided by a centralized policy guideline that promotes best practice security implementations?
Complexity sneaks up fast, compounded by a lack of clarity around shared security responsibility. Assumptions get made about who’s securing what in the public cloud; it’s understandable that business users trust public cloud providers to have all essential security baked in and that they all do it the same way. Reality is different. That’s why security teams need visibility into each public cloud instance.
However, the rise of multi-cloud adds pressure for cybersecurity professionals to know more. It’s not enough that they understand how AWS is secured – they must also understand Azure, Google and other niche cloud platforms with all their individual nuances. The thing is, it’s not realistic to expect business users to understand them all.
Alignment, empowerment, and automation are essential
Getting a handle on complexity and helping security teams keep pace with public cloud adoption means everyone must speak the same language, and business users must have a security-conscious mindset.
Because every public cloud is configured differently, either security professionals must be in the loop when any new instance is adopted, or business users must be empowered with the knowledge to securely deploy these applications themselves. Better yet, we need to automate the application of a global security policy as much as possible at the beginning of the process with a clear understanding of the shared security responsibility.
The cloud enables businesses to be more agile and spin up applications and resources on the fly without any IT support, but it’s also fueled deployment of data at a rapid pace to multiple locations with less than optimal security controls. Regardless of where data resides — on-premise, in the public or in a hyper–converged data center — security and compliance intent must evolve to stay aligned with the business.
Creating complexity is always going to be easy because public cloud platforms are so simple to scale up as part of a hybrid cloud environment. Rather than trying to fight this inevitable ease of complexity, organizations must put the right people and tools in place, so best practices and security controls are automatically weaved into cloud-first strategies.