Do you know if you're managing your cloud's security efficiently, or even correctly?
The creation of the cloud changed the way organizations functioned, offering on-demand access, vast scalability, better business continuity, and a number of other benefits — including no longer needing to rely on costly physical data centers.
But even though more companies are migrating to the cloud, they're still thinking in terms of traditional data center security. They haven't yet come to terms with the fact that cloud security needs to be handled in a much different way with a much different approach. This is going to be a challenge for teams as cloud becomes more business critical and as they begin to think about their Cloud Security Posture Management, or CSPM.
For an on-premise data center, adding logs to a monolithic management tool like an SEIM and securing a network perimeter would've been the standard approach. For many companies early on in their cloud adoption journey, this is the approach they took with their new environment: Set up a network in the cloud that's "controlled by IT" and start dumping cloud logs into a SEIM.
But there's too much activity and too many points of access to the cloud for this to be a usable solution. Logs are point-in-time records, not the continuous monitoring that cloud needs — so while logs are necessary, they don't provide a complete picture, and may not always be helpful. The secure perimeter also changes with cloud from the enterprise network to identity and access (IAM), which requires a different approach altogether. Simply relying on logs also isn't comprehensive or agile enough to keep up with the variety of services, frequency of deployments, and users all touching multi-cloud environments.
In other words, the model has changed, so the approach has to change, too. Securing your cloud means having deep visibility into every configuration, every asset, and every change, and the ability to continuously identify risks. But teams often struggle with making the shift. Here are some common challenges I've seen teams who are new to thinking about CSPM encounter, and ways to turn those challenges into opportunities.
The biggest challenge teams will have when it comes to cloud security will be to stop approaching it like they approached data center security in the past. One of those mindset shifts is understanding that security can no longer just be up to the security team in a silo. In the cloud, infrastructure is deployed as code and automation is central, meaning security must be "baked" into the entire development lifecycle. The challenge will be getting everyone to understand their roles and responsibilities across the product lifecycle.
Leadership needs to create a plan to shift organization from an on-premise mindset characterized by top-down control and rigid policy gates to one oriented around user empowerment with smart policy guardrails that balance agility with control. This can be accomplished through strategic planning, brainstorming, collaboration, and buy-in, not only across teams but from senior leadership as well. This shift in mindset will also require team members to have a more comprehensive understanding of how security needs to be woven into the entire deployment process as well.
Unfortunately, many teams don't think about security, and sometimes even overall governance, until it's too late. Whether they don't have the budget, think they don't yet have the scale, or it's just not top of mind, procrastinating on cloud security can expose an organization to breaches, non-compliance, and other high-risk issues. On the flip side, organizations might have initially taken too heavy-handed of an approach and implemented such strict controls that it prevents them from fully realizing the promise of cloud and DevOps in the future.
Thinking about cloud security should happen early, which includes implementing not just the right tools, but also the right processes and people. And it's never too early to start, because security needs to be woven into your process from the beginning. The goal is not just to establish a process, but to make sure it's agile enough to incrementally scale with the needs of an ever-changing cloud environment.
Launching a real CSPM program to monitor your cloud environment is one critical approach to cloud security. But organizations often rely on just the technology, thinking that simply having a CSPM or relying on vendor capabilities will be enough — which leaves their team under-informed about the proactive role they need to play. Organizations wanting to keep on top of their cloud security need to prioritize constant education and upskilling, not just around traditional security applied to the cloud but also around industry best practices and cloud fundamentals, too. Identify team members willing to go deeper and pair them with industry experts within the organization, or take advantage of free educational tools from the major cloud providers to keep your team's knowledge base wide and ever-evolving.
Organizations often get lulled into believing they have their cloud security covered because they've built controls into their CI/CDpipeline, rightly thinking that if they can discover problems in the pipeline they'll be able to ensure a perfect deployment. In reality, this is just never the case, as changes often happen outside the pipeline, cloud providers make configuration updates, templates can get updated without going through the right procedures (humans aren't perfect), or a number of other undocumented alterations — making it impossible to keep track of it all.
In order to mitigate this, have a plan for continuous monitoring of your cloud in addition to your pipeline controls, so that you'll not only have visibility into what's in development and has been deployed, but you'll be able to see what's changing outside your pipeline so you can create a response plan for that drift, too.
Finally, many organizations just don't have a handle on what assets they have in the cloud or across multi-cloud environments, if they've been configured correctly, if they're in compliance, or if they're secured. This means that organizations can't take advantage of the many benefits of scale in the cloud if they don't have visibility into what they have in it and how it's changing over time.
Start by defining a set of standards for your organization for what goes in the cloud — CIS and NIST are industry standard frameworks that can guide your security posture — then, use CSPM tools to gain visibility into your entire cloud environment to measure your assets against that baseline to ensure that you catch current and future drift, and can remediate any issues quickly.
As with launching any new initiative or adopting any change, cloud security will require a different mindset, some new skills, and a commitment to implementing a thorough and effective CSPM approach. There will be challenges, but embracing cloud security early on in your cloud journey will not only keep your organization safe, it'll provide insights and benefits across your entire enterprise.
John Grange is a seasoned entrepreneur and is currently co-founder and CTO at OpsCompass, a leading SaaS product for managing compliance and security in clouds like Azure, AWS, and GCP. He has 15 years of experience building products and companies including co-founding a top 5 global Microsoft ASP.net hosting provider (now Managed.com) and creating SaaS products in areas diverse as healthcare (Layered Health) and marketing tech (Layeredi). John's passion is identifying those mega trends that truly impact how technology can be leveraged and then building the necessary tools to help real customers use that technology to create business value
Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp
_____________
Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.