Set It and Forget It? Not for Cloud Security

The public cloud market is scorching most every other segment of the IT industry. According to a report from research firm Forrester, the public cloud market will double from its current size to reach $236 billion by the year 2020. But that doesn’t mean there aren’t big problems when it comes to cloud adoption – especially with respect to security and regulatory compliance concerns.

According to the 2018 Cloud Security Report, while adoption for public cloud computing continues to surge, security concerns are showing no signs of abating as 91% of organizations today are concerned about cloud security. These security concerns are led by protecting against data loss and leakage (67 %), threats to data privacy (61 %), and breaches of confidentiality (53 %) – all up compared to the previous year.

There is also the other extreme: those who view the public cloud as inherently secure - like some form of Ronco rotisserie oven, whereby the security mindset and approach is “set it and forget it”.

Well, neither of these views is accurate. Cloud security is neither an oxymoron, nor a security panacea. That said, there are distinct differences and challenges, which follow:

The abstracted nature of cloud computing

This abstraction and lack of visibility is an important challenge, especially for those who are new to cloud security and don’t necessarily understand the responsibility breakdown, that is to say, where their security responsibility ends and where the responsibility of the cloud platform/service provider begins (or vice versa). Moving to the cloud requires a shift in mindset. Leave the data center concepts behind and accept the loss of natural visibility. (Remember, though, there are tools like RedLock available to provide the required level of visibility to secure your business’ multi-cloud adoption.)

Compliance in cloud vs. on-premises

There’s a big difference between what policy and regulatory compliance looks like in public cloud systems versus what it looks like in cloud software services and the data center. The cloud is dynamic, which makes traditional change control and configuration management efforts deployed on premises extremely difficult. Add the fact that none of the compliance standards like PCI, HIPAA, GDPR and others were written for cloud environments. This means that someone must physically do the hard work of translating abstract requirements to specific technical controls for each cloud service. Considering the thousands of features that CSPs add each year, the amount of time and resources required to keep this up to date is exponential.

The Center for Internet Security is helping to map security controls and compliance requirements back to whichever services are running in cloud. However, it’s critically important that organizations implement tools or processes to provide details and context around what's compliant and what's not when it comes to regulatory compliance and security compliance controls.

Managing data to its classification

There are many who contend that critical data shouldn’t be put in the cloud. Regardless of one’s feelings on the subject, critical data is likely going to end up in the cloud (if it’s not already there). In many of the surveys I see, about half of respondents are putting critical or sensitive data (to their enterprise) in cloud systems. In fact, many enterprises are using cloud service providers to hold financial and health-related data. There are serious questions about how to manage this data in the cloud, as well as how to manage SaaS and other cloud providers who deal with sensitive data.

The reality is that it’s become fiscally attractive for organizations to use the cloud to store large volumes of unstructured data for backup, machine learning, data lakes, etc. But, most times, it is impossible for enterprises to know which types of data are stored in these environments, making data classification extremely important. It's one thing to expose a data set containing nonpublic information, say a marketing website’s content hosted on an S3 bucket, for example.  A business can bounce back relatively unscathed. It’s quite another to expose a bucket containing names and account numbers for all your customers. The negative backlash can be too much to overcome.

The continuous nature of cloud

The cloud is always on. And unlike the controlled, scheduled and top-down regimented days gone by, cloud updates are born from continuously delivered software pipelines in organizations where there is a considerable push for agility and continuous updates.  This requires DevOps teams to build tools and services that support faster deployment, as well as more rapidly gather system data and feedback so that they can rapidly iterate and improve.

This drive toward continuous computing and continuous software enhancements should play well for security. When it’s approached correctly, enterprises can gather continuous data about the state of their cloud security posture and the types of security controls and compliance rules in place; plus, identity and encryption policies can be viewed in real-time to track how the entirety of their security strategy is working in the cloud. And for many of the challenges I listed above, continuous real-time monitoring is an absolute necessity.  If you’d like, you can give continuous monitoring a try in your cloud environment. Stop by our Marketplace.