The tipping point has arrived, and the events of 2020 have well and truly pushed it over the edge. It's now a case of measuring what organizations don’t use the cloud for, rather than what they do. It feels as if there is barely a business anywhere without SaaS, PaaS, IaaS or all three dominating its IT strategy – and the numbers back that up. According to IDG, 89 percent of companies use SaaS, around 80 percent use IaaS and 61 percent use PaaS.
This evolution of IT architecture has many implications, from how technology is used and paid for, to issues like extracting value from data, addressing cybersecurity challenges and ensuring compliance. More and more sensitive data is stored there, which raises an interesting conundrum: if the cloud’s greatest virtue is to liberate the availability and application of data, is it inevitable that you need to constrain this capability in order to keep it under lock and key?
The same cloud security headaches persist
Questions like this constantly enter the minds of senior executives at large organizations across Europe, including where I’m sitting, in Ireland. Research among these key business decision makers consistently reflects deep misgivings about tracking where data is, who has access to it and the potential dangers of it falling into the wrong hands. However, such is the compelling nature of cloud adoption, it appears unlikely to prevent cloud migrations pressing ahead – only how secure they end up being.
A recent study by Thales and IDC, The 2020 Thales Data Threat Report, polled over 500 such executives at organizations between 500 and 10,000 employees. It found that 46 percent of all data is now in the cloud, and 43 percent of that data is sensitive.
Drilling deeper into the Thales/IDC study reveals some concerning trends. For example, despite the increasing proportions of sensitive data stored in the cloud, and the obvious impact this has on data security risks, rates of encryption (54 percent) and tokenization (44 percent) in relation to this data are surprisingly low. These and other indicators of struggling to securely manage complex, multi-cloud environments (with often too few internal staff or budget) are borne out in high instances of cyber failure. For instance, over one-quarter (28 percent) reported experiencing a data breach in the preceding 12 months, around the same (24 percent) of those that have failed a compliance audit over the same period.
New transformative technologies make the challenge more complex
According to LogicMonitor, almost two-thirds of organizations see security as the biggest challenge for cloud adoption. Security and privacy have been the most prevalent issues in the cloud for some time, and whatever new solutions come along must contend with newly introduced or planned cloud-enabled technologies.
This is because the issue of cloud adoption is tied up with the broader trend toward digital transformation. Digital transformation is bringing new technologies to the fore, each one bringing a new dimension of potential security problems.
The Thales/IDC study looked at a range of specific examples and found the levels of associated security concerns running at very high levels: big data (99 percent concerned about data security implications), IoT (99 percent), DevOps (98 percent), mobile payments (98 percent), containers (97 percent).
It also had this to say about the impending arrival of quantum computing:
“Quantum computing is looming and promises to further complicate data security. Cryptography requirements will fundamentally change when quantum computing comes online, and 69 percent of European respondents see quantum cryptography affecting their organization in the next 5 years.”
Clearly there needs to be a smarter and better way of addressing the complexity of cloud security in a way that enables continuity of strategy regardless of what new applications and services come about in future.
The case for a zero-trust approach
One of the sticking points in cloud security is the notion of trust. Within existing network infrastructures, many organizations cling to the concept of trusted and untrusted traffic, users and so forth. It goes back to the early principles of perimeter-based security: whatever is outside the perimeter should not be trusted, but once it enters the network it becomes ‘trusted’.
Post cloud, the dissolution of the perimeter in any meaningful sense has severely undermined these principles, but not eliminated them. Concepts such as PoLP (the principle of least privilege) set a very high bar for restricting access rights for any given entity, and only then providing the resources required to carry out the authorized task. These have given rise to models of qualified or discretionary trust that allow organizations to pursue all the advantages of digital transformation without compromising data security.
This might be the optimum place for an enterprise security strategy to end up, but I prefer to begin at the furthest point possible from ‘trust’. In other words, by starting out trusting nothing at all; effectively viewing the whole idea of ‘trust’ as a vulnerability.
This is the thinking proposed by the originator of the zero trust concept, an eminent Forrester analyst called John Kindervag. His vision for ‘zero trust’ is not to make a system trusted, but to eliminate trust itself from the system.
When this is your starting point, the implications for a multi-layered approach to data security are really quite profound. Many security professionals talk about the ‘attack surface’, whereas in zero trust, you identify a ‘protect surface’. This is many orders of magnitude smaller than an attack surface and utterly unique to the organization, consisting of the most critical and valuable data, assets, applications and services. This switch in emphasis makes it not only easier to identify (by virtue of being more ‘known’ and smaller in scope) but also makes the effort in doing so more worthwhile. Auditing processes also become more efficient and effective under this approach.
Organizations can then apply their own architectures and security policies onto this framework; applying access management technologies that authenticate and validate users and devices accessing applications and networks, as well as robust data discovery, hardening, data loss prevention and encryption solutions. Granular enforcement of layer 7 policy and micro segmentation is critical to setting up and policing a zero trust model. And with cloud evolution being so dynamic, with the constant addition of new workloads, applications and technologies, logging and inspection of network monitoring is equally important for its long-term integrity.
The shift to zero trust is a subtle change in mindset but that results in significant improvements to data security effectiveness. It’s also one that is gaining traction among CISOs and other IT security pros. A recent Pulse Secure survey found 72 percent of organizations plan to assess or implement zero trust capabilities in the near future. And when they do, their cloud security concerns should finally begin to abate.
Gerry Sheldrick, Country Manager, Exclusive Networks Ireland