Rapid Cloud Adoption Introduces Security Risks
By Lior Cohen
Organizations that store data, use applications and run workflows across multiple public cloud platforms create a serious challenge for security architects. Establishing and maintaining a consistent security posture for an organization that relies on an assortment of cloud platforms and services—especially when they all take different approaches to security and offer different security tools to developers—can be extremely difficult.
And that challenge gets even more difficult for today’s overtaxed security teams when those disparate solutions are also unable to be integrated into a cohesive security framework.
Naturally, companies appreciate the operational agility that comes with being able to ramp up capacity at a moment’s notice or shut off unnecessary features on demand. This is why, according to Forbes, 83% of enterprise workloads are expected to be in the cloud by the end of 2020. IDC also recently projected that worldwide spending on public cloud services and infrastructure will more than double over the next five years, to nearly $500 billion in 2023 from $229 billion in 2019—a compound annual growth rate (CAGR) of 22.3%.
Challenges Due to Rapid Cloud Adoption
These investments are enabling companies to make crucial applications easier and available more cost-effectively to employees, customers, suppliers and other stakeholders around the world. But public clouds demand particular attention from IT security managers for the following three reasons.
1.Fast application rollout may lead to lingering security risks
The ability to implement rapid application and services rollouts and scale related resources are key reasons why companies are choosing to deploy their new applications in the public cloud. Similarly, adopting software-as-a-service (SaaS) applications does not typically require a lengthy requisition and setup process. Instead, the cloud enables less-technical employees to shop for and provision IT services and business applications, and they can often deploy these services in a matter of minutes.
Naturally, the upside is an accelerated timeline to get important functionality in the hands of end users. This is another key driver for cloud adoption. A company can easily try new solutions, and if they don’t work as intended, the company is able to move on to other options quickly. As a result, these applications are made available much faster than in traditional, on-premises data centers.
The downside to such rapid rollout, however, is that application administrators often do not take the time to decommission applications due to the fact that decommissioning a cloud application is often more time-consuming than launching it. As a result, a company that moves on to another solution may inadvertently leave data in the cloud or fail to turn off permissions and functionality for applications that it is no longer using. And cloud-based software that is not properly decommissioned can present security risks that can linger indefinitely below the radar of the network and security teams.
2.Growing shadow IT reduces accountability
Shadow IT is a widespread problem for organizations of all sizes. A manager or employee with internet access and a credit card no longer needs IT approval, recommendations or even guidance to subscribe to and deploy new applications or to build a new cloud platform that stores and processes corporate data. The challenge is that some of the applications they deploy may not support business policies and procedures, follow security guidelines or comply with mandatory regulations around things such as data privacy. And worse, the IT department may not even be aware of these new cloud services or applications, nor that business units are moving sensitive and valuable corporate data into the public cloud.
Gartner estimates that shadow IT could represent as much as 30% to 40% of total IT spend. For the security architect who is charged with designing a security architecture that provides comprehensive protection across the entire attack surface and visibility across each cloud infrastructure and application, this is a serious problem. And not only are these shadow resources not covered by the corporate security architecture, but they also represent a serious risk because they are owned and managed by non-technical staff. In fact, again according to Gartner, while cloud services offer high levels of automation and user self-service, nearly all cloud attacks are the result of the misconfiguration and mismanagement of cloud resources.
3.Cloud heterogeneity adds to complexity and workflows
Security capabilities and management interfaces vary across different cloud platforms, and this diversity of solutions further complicates the challenge to create a consistent security architecture that is all-encompassing. Compounding that issue is the rate at which applications are being implemented, improved or discarded. Even if shadow IT was not an issue and the cybersecurity team was aware of every application in the company’s cloud infrastructure, this constant churn in cloud applications creates an information security dynamic that is difficult to track and manage.
Further, maintaining a consistent security policy across all of a company’s public cloud resources, inventorying security options and monitoring security settings and configuration within each application requires an extraordinary amount of manual effort and expertise. Compounding this challenge further, cybersecurity teams are already stretched thin due to an acute security skills shortage, with the number of unfilled cybersecurity jobs growing by more than 50% since 2015.
Multiple Cloud Platforms Exponentially Increase the Attack Surface
Corporate security is only as strong as the weakest link, and in a multi-cloud infrastructure—where each provider has different vulnerabilities, different policies for connecting elements and even different security tools available applications, and where applications and workflows span multiple platforms—the risk is increased with every new cloud platform, application or service added. Without a cohesive architecture comprised of tightly integrated security tools deployed natively across every cloud platform in use, a hacker only needs to find and breach a single cloud-based application to compromise the entire enterprise IT infrastructure.
Of course, integration between different public clouds is difficult. And for many organizations, this ever-expanding attack surface reduces visibility into threats and vulnerabilities for both the IT team and its internal customers. This lack of integration also leads to an unnecessarily large number of manual security workflows, which presents an additional resource challenge for security teams already facing tight budgets and staffing. In addition, the sharing of threat intelligence among solutions cannot be automated, so proactive risk management may be nearly impossible.
Start Cloud Planning With Security
To address this challenge, security architects need to deploy tools and develop processes that facilitate the collection of complete information about the location and security of corporate data assets, whether on-premises or in a private or public cloud. In addition, security needs to rely on automated systems for intelligence gathering, assessment and response. However, that requires security solutions designed to interoperate as a single, holistic fabric that dynamically spans the entire distributed network.
This begins by adopting a security-driven networking mindset. This approach requires organizations to intentionally select only those cloud resources that can be integrated into the organization’s larger security architecture seamlessly. By insisting on only using native cloud security technologies that can be tightly integrated and automated across all networked ecosystems, organizations can safely expand into the cloud without compromising their data, customers or the business itself.