As businesses increasingly migrate to the cloud, chief information security officers (CISOs) face several critical challenges in ensuring robust cloud security. Do not believe me? Experts highlighted this at the recent Gartner Security and Risk Management Summit. Gartner forecasts a significant 24% increase in spending on cloud security, making it the fastest-growing sector in the global security and risk management market.
Adapt, adjust, implement
The bottom line is that the shift to cloud computing entails a fundamental rethink of security. Organizations are striving to integrate the cloud into standard business processes, however, this shift carries more risks than most IT managers understand. I've seen this in my research and experience as a consultant for 20 years in the cloud and before.
Issues that existed in traditional IT environments persist in the cloud, such as governance, misconfiguration, insecure supply chains and pipelines, data loss or leakage, and failures in secrets and key management. The cloud presents unique risks, including limited visibility, dynamic attack surfaces, identity proliferation, and misunderstandings about shared responsibility, compliance, regulation, and sovereignty. And this is just the tip of the iceberg.
Most CISOs tell me they don't yet understand exactly what needs to change. Many feel misled by the cloud provider regarding the work required to secure their cloud deployments. I've written a lot of advice to the contrary, but it's never a good idea to say “I told you so” to someone who is struggling, so we need to learn how to do better.
Shared responsibility model
Many CISOs and security teams need clarity around the shared responsibility model used by major public cloud providers like Amazon Web Services (AWS) and Microsoft Azure. This template outlines the security responsibilities of the cloud provider and customer and has typically been present on the first slide of any cloud security presentation since 2008.
Challenges often arise from assumptions about technology and the extent of cloud providers' security commitments. Compliance, visibility of sensitive data, business continuity, and confusing service level agreements (SLAs) have become issues that IT managers never anticipated. As one of my CISO friends said after 12 years of dealing with cloud security: “It was never about ‘shared responsibility,’ it was always all my responsibility, period.”
CISOs often face several key risks in managing cloud security:
Business lines did not adequately address security needs. The cloud is more complex than initially understood. Strategy, architecture, or cloud transformation initiatives are often done without input from the CISO, who is then expected to make everything secure. Failure to collaborate with IT managers to integrate security into platform architecture and development pipelines bottlenecks with legacy security processes. Old security patterns are being applied to new technologies.
There is no substitute for hard (boring) work.
I recommend several strategies to overcome these challenges. Using automated tools to manage cloud security is crucial. Automation is your friend. Furthermore, establishing strong cloud security governance can help prioritize alerts and secure service edges. Running in circles for every anomaly is unquantifiable, and the risk of being the “boy who cried wolf” is likely to cause a breach.
Consolidating security efforts and working toward consistency are also essential best practices. Additionally, retraining and upskilling the security workforce is critical to adapt to the evolving cloud security landscape. Most violations are the result of a lack of training, not a lack of technology. CISOs realize they can have the best cloud security technology available, but they can't solve the problem. Misconfigurations are the main cause of cloud breaches.
Naturally, specific issues must be addressed to meet your unique needs. CISOs often adopt good ideas from analysts and consulting firms that don't work for them. Cloud security is never a “one size fits all” solution, it should be systemic to all systems, not installed during the last step of deployment. Businesses often get into trouble because security is disjointed and therefore ineffective.
I wish I had a magic formula to give CISOs looking for better cloud security, but it's about doing things intelligently and purposefully to win the game. People hate to hear that, it means more tedious planning and research. But there is no alternative.
Copyright © 2024 IDG Communications, Inc.
