As businesses increasingly migrate to the cloud, chief information security officers (CISOs) face a number of significant challenges in ensuring strong cloud security. Don’t you believe me? Experts highlighted this at the recent Gartner Security & Risk Management Summit. Gartner projects a significant 24% increase in spending on cloud security, positioning it as the fastest-growing segment of the global security and risk management market.
Plan, prepare, use
The bottom line is that the transition to cloud computing requires a fundamental rethinking of security. Organizations are striving to integrate the cloud into regular business operations, however, this transition has more pitfalls than most CISOs realize. I have seen this in my research and experience as a consultant for 20 years, in the cloud and before.
Problems that existed in traditional IT environments persist in the cloud, such as governance, misconfiguration, insecure supply chains and pipelines, data loss or leaks, and failures of privacy and key management. The cloud presents unique risks, including limited visibility, evolving attack surfaces, increased ownership, and misunderstandings about shared responsibility, compliance, regulations, and sovereignty. And this is just the tip of the iceberg.
Many CISOs tell me they still don’t quite understand what needs to change. Many feel misled by the cloud provider about the work required to secure their cloud deployment. I’ve written a lot of advice to the contrary, but it’s never a good idea to “told you so” to someone who’s struggling, so we need to figure out how to do better.
Shared responsibility model
Many CISOs and security teams need clarification about the shared responsibility model used by major public cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. This model describes the security responsibilities of the cloud provider and the customer and has often been on the first slide of any cloud security presentation since 2008.
Challenges often arise from assumptions related to technology and the level of security commitments of cloud providers. Compliance, visibility of sensitive data, business continuity, and confusing service level agreements (SLAs) are becoming problems CISOs never saw coming. As one CISO friend of mine said after 12 years of dealing with cloud security: “It was never about ‘shared responsibility,’ it was always my responsibility, period.”
CISOs often encounter several key pitfalls in managing cloud security:
- Lines of business have not adequately addressed security needs.
- The cloud is more complex than initially understood.
- Cloud strategy, architecture, or transition implementations often proceed without input from the CISO, who is expected to make it all secure.
- Failing to engage with CIOs to integrate security into field engineering and blocking development pipelines with outdated security practices.
- Old security patterns are applied to new technologies.
There is no substitute for hard (boring) work.
I recommend a few strategies for navigating these challenges. Using automated tools to manage the security of a cloud environment is essential. Automation is your friend. In addition, establishing strong cloud security governance can help prioritize alerts and secure service edges. Running around in circles all confusing isn’t great, and the risk of being “the boy who cried wolf” is likely to cause a breach.
Consolidating security efforts and working toward consistency are also important best practices. In addition, retraining and developing security personnel is essential to adapt to the changing landscape of cloud security. Most violations are caused by lack of training and lack of expertise. CISOs understand that they can have the best cloud security technology available, but they can’t fix stupidity. Poor configuration is the main cause of cloud breaches.
Of course, specific issues should be addressed for your unique needs. CISOs often take good advice from analysts and consulting firms that aren’t relevant. Cloud security has never been a “one-size-fits-all” solution, and needs to be system-wide, not installed during the last step of deployment. Businesses often run into trouble because security is loosely integrated and thus ineffective.
I wish I had a magic formula to offer CISOs looking for better cloud security, but it’s about being smart and intentional to win the game. People hate to hear that—it means boring planning and research. But there is no substitute.
Copyright © 2024 IDG Communications, Inc.
Source link