Skip to main content

Q&A: State of cloud security

(Image credit: Image Credit: Everything Possible / Shutterstock)

What is driving enterprises to make the leap to the Cloud?

Today nearly every enterprise has adopted a mix of private, public and hybrid cloud technologies. Many are at different stages when it comes to their cloud adoption journeys. The primary driver for most of these projects is the need to increase agility and speed up delivery of new applications and services.

Traditional enterprises are under intense pressure from disruptive, cloud-native market entrants to become faster and more agile in order to stay competitive. As a result, enterprises are racing to embrace digital transformation, transitioning their traditional, legacy IT infrastructures from on-premise to a hybrid mix of in-house, cloud-native and public cloud environments.

With the shift of technology platforms, organisations have also adopted agile development practices in order to truly accelerate their business. We certainly see organisations who simply migrate their legacy data centre processes to their cloud environment, known as “lift and shift”, and that can work for a while, but it is not scalable or fast enough.

What are the chief obstacles they face?

Cloud brings a diverse set of challenges. Among the top ones are building a cloud-culture that enables organisations to leverage the potential advantages and securing the cloud.

Large enterprises must balance the need for security with the newfound agility that the cloud brings.

Enterprise CIOs and CISOs are having to contend with pressure from the top to complete this transition as swiftly as possible. In practice, however, achieving this in the face of hybrid cloud complexity, manual processes and security/compliance challenges is far from easy.

The extent to which an IT manager is able to manage the complex process of transitioning to hybrid cloud environments simply and securely can make or break large cloud migration projects. A key approach is to centralise and simplify security policy management to ensure comprehensive cloud security.

Why are so many Cloud misconfigurations happening?

It’s due to a combination of several factors:

  • Agility: The cloud is operated by developers whose top priority is shipping applications as fast as possible, and as such, they prefer open connectivity over a tight security policy.
  • Lack of traditional security tools and processes: As opposed to traditional networks where a developer would need to explicitly ask the firewall teams to allow application connectivity, in the cloud there are usually no firewalls and the equivalent controls, security groups and IAM policies, are owned by the development teams themselves. This means there is no separation of duties, no security reviews and a greater risk of a misconfiguration.
  • Traditional security risks: Traditional security problems are also manifested in the cloud; complexity, heterogeneity, lack of expertise, inadequate size of security teams, vulnerabilities, human-errors, and frequent change.

As hybrid cloud networks become more complex and fragmented, it’s impossible for network security teams to manually keep up with the changes.  We commonly see organisations that are compromised due to manual errors that are inevitable when managing access to different parts of a constantly changing IT environment. This complexity is furthered by multi-vendor environments, acquisitions, dual-sourcing, and the need to leverage existing on-premise hardware and software investments. 

IT and security teams are challenged by a lack of comprehensive visibility across this constantly evolving environment.  This is magnified by the adoption of DevOps methods, where developers have the ability to build and deploy applications rapidly and frequently, often bypassing security.

Security managers are left unable to see what applications, containers and serverless functions have been instantiated, what security policies have been applied, and if security policies adhere to standards. Frequent changes within a complex and fragmented infrastructure lead to many misconfigurations, and lack of visibility makes it impossible to identify and address them.

What needs to change?

Security teams need to accept that cloud is not just another network and that it requires a new way of thinking, new change processes and new tools to protect. They need to work closely with dev and devops teams to learn the culture which is based on automation and speed.

The primary change process in the cloud is CI/CD, rather than traditional ticketing and ITSM systems and, as such, security audits and policy enforcement must be integrated into the CI/CD pipeline in an automated way as well as into other dev/devops tools like git, infrastructure-as-code, Kubernetes and cloud APIs.

In parallel, security teams need to learn the modern cloud-native platforms and develop expertise in types of attacks, the weaknesses that can allow them and tools that can provide visibility and control into the cloud-native stack. Security teams can also introduce developers to guardrails as a less-obstructive way to protect applications and the business without hindering speed.

What does this mean in terms of technology?

Whether responsibility for security controls in the cloud belongs with the Infosec team or with the cloud operations team, they need a central solution that provides the visibility and analysis required across hybrid cloud environments. Relying on the native security solutions of cloud vendors is not enough because those are only as secure as their configuration. Other security solutions usually provide security controls for a specific environment, like AWS, Azure or Kubernetes, making it impossible to establish a consistent security policy for applications that traverse cloud platforms and on-premise resources. Controlling microsegmentation across infrastructure requires a single solution that can visualise and assess policy compliance across platforms and vendors.

In addition to that, because the primary driver of cloud adoption is agility and speed of delivery, security teams cannot compromise it. A new technology is required to embed security controls into the CI/CD processes to ensure continuous compliance at DevOps speed.

In addition, here are other considerations:

  • Use cloud-native security controls
  • Use APIs rather than agents
  • Securing the cloud requires expertise and deep understanding of cloud configurations, risks and tools that are offered by the different cloud platforms – you need a solution that incorporates that knowledge
  • Good cloud security requires embedding security into the developer tools and processes (CI/CD, etc.)

How can this be achieved?

According to Gartner, security and risk management leaders should invest in cloud security posture management (CSPM) processes and tools. Enterprises need to incorporate security policy automation into their digital transformation processes.

Security policy automation eliminates the need to introduce new processes or technologies that traditionally impact business agility and create friction. From a compliance perspective the security team can at any time show auditors the current state of their policy management system. In addition, it’s imperative that security teams work closely with developers and DevOps teams to become aligned on both automation and speed requirements.

What is the best way to eliminate the Cloud misconfiguration problem?

Business goals and digital transformation efforts are best met when DevOps and security teams can function most efficiently and effectively. From a CIO/CISO’s perspective, therefore, it is impossible to overstate the importance of being able to automate security policy management across the entire estate – physical, virtual and cloud. Such measures will allow them to significantly reduce their exposure to cloud services misconfiguration, mismanagement and mistakes.

Cloud is undoubtedly the way forward but managing and adopting it should not be painful. Granted, a lot of work goes into ensuring cloud security, but with the right tools, policies and controls in place, it no longer needs to be a struggle. Security policy automation is the missing piece. Its capacity to ensure the right configuration happens automatically can help enterprises finally unleash the speed and agility they’ve been looking for from cloud without having to compromise on security.

How can enterprises prepare themselves for comprehensive cloud security and compliance?

As enterprises entrust ever greater volumes of data to the cloud these new workloads must still coordinate with on-premise or private cloud systems. Organisations, therefore, have to enforce consistent policies across the entire hybrid cloud infrastructure. Those that succeed in implementing unified security policy management can avail themselves of the twin advantages of the cloud’s business agility benefits and unprecedented visibility across complex environments, taking care of compliance automatically in the process.

This is going to be one of the most important security challenges over the next 10 years. Networks and security are constantly evolving and looking ahead it’s clear that the future in the cloud takes many different adoption paths. These paths involve sharing on-premise resources to leverage existing investments and manage gradual transitions. A comprehensive and dynamic security policy solution to manage all of an organisation’s environments from a single pane of glass based on centralised rules is the most accurate and efficient option.  It will be increasingly important for DevOps and security teams to work together in harmony via automation amidst an increasingly hybrid-cloud environment.

Reuven Harrison, CTO and Co-Founder, Tufin