Managing the Cloud is Complex, but How You Secure it Shouldn’t Be

Tim Woods

If you’ve ever tried to count clouds in the sky, you know how hard it is to keep track of them as they move and change over time. Storm clouds can gather quickly with little warning. Keeping up with the complexity involved in securing today’s multi-cloud environments is no different.

Large enterprises with a mix of on-premise, hybrid cloud and public cloud environments inevitably face more complexity as they scale. If they don’t have well-defined processes to track application deployments and usage, cloud sprawl gives birth to complexity much like the bloat that results when firewall rule management is neglected over time.

FireMon’s 2019 State of Hybrid Cloud Security survey found that respondents overall have embraced the multi-cloud paradigm, with half having two or more different clouds deployed. Similarly, half of respondents are deployed in public cloud platforms, with 53 percent using two or more. Meanwhile, nearly 56 percent of respondents have private cloud environments and almost 40 percent have hybrid cloud environments.

All these clouds must be secured. Although providers such as Amazon Web Services, Microsoft Azure and Google Cloud Platform all have their own security tools, enterprises must assume responsibility for what goes in and out of every cloud environment they’re managing.

As the rapid pace of business drives cloud adoption and new service deployments at an accelerated rate, it’s hard for security teams to keep up with the demands placed on them. Our survey found respondents use multiple solutions to secure these multi-cloud environments, with nearly 59 percent using two or more different security solutions. This unmanaged complexity can lead to unnecessary risk.

Does this complexity look good on me?

Complexity is par for the course as enterprises pick the cloud model that best suits a given workload, but as a rule, you should avoid unnecessary security complexity.

It comes in many forms and grows because there’s no visibility and not enough information to make smart decisions. It’s hard to create a solid security policy around an application or resource if it’s not clearly understood who should and shouldn’t have access or what is an acceptable business purpose for granting access. The same goes for compliance—is it understood what compliance requirements an application is subject to prior to deployment? What’s its impact on security configuration controls?

Missing information from the various lines of business is a challenge for security teams bombarded regularly with requests to enable applications on an unreasonable deadline without enough specifics about how the application should be secured. They find themselves rushing around in the dark as best they can to create the best possible security policies to honor the needs of the business.

More deployments, more problems and less security

Most would agree cloud adoption and application deployments are not going to slow down any time soon, as clearly laid out by our survey results. But an inconsistent approach to cloud security wrought with missing information and visibility gaps has consequences. It’s not the fault of the business—they’re just trying to leverage the many advantages a cloud-forward strategy provides. It’s not the security administrator’s fault either, who—according to our State of Hybrid Cloud Security survey—face a lack of resources and has 10 different things on their plate.

Eventually, unintentional misconfigurations add up. Hackers no longer need to hack. They leverage automation to search the internet for misconfigurations that allow unvetted access to data, essentially finding cars with the windows rolled down and the key in the ignition.

But somewhere down the line, security must evolve to gain parity with the speed of business. Cloud adoption is only going to grow as enterprises look to gain competitive advantages in their respective industries, and not keeping on top of the complexity comes at a price.

Get a handle on your security debt

As unnecessary complexity grows and cloud sprawl continues apace, negative impacts on the business grow too. If we are to enable our cloud and security teams to tackle this complexity and sprawl, a collaborative effort must form among business owners, stake holders, DevOps, compliance, and security. Otherwise, we can expect to incur more “security debt.”

To challenge growing complexity within the hybrid enterprise requires holistic, real-time visibility into the entire network infrastructure. Understanding where data resides, who can access it, and what controls are in place to govern that access are key. Application tracking, continuous detection, and continual risk assessment are also part and parcel to a successful cloud management strategy, as are regular health checks that cover the myriad of services around cloud deployments. This includes an always up-to-date inventory of the cloud applications, number of VM instances, amount of compute, storage requirements, performance levels, and lest we forget, the importance of reviewing the effectiveness of our security controls should be at the forefront.

There’s always going to be clouds on the horizon. FireMon’s enterprise platform solution combines powerful real-time security analytics to deliver field-tested, network security policy management for the multi-cloud enterprise with less complexity and fewer storms.