Multi-Cloud Use Maturity – Cloud Security

This blog on Cloud Security represents part 8 and is the last installment of this multi-part blog series on multi-cloud use maturity. A comprehensive eBook that includes the entire multi-cloud use maturity framework can be found here. At the end of this blog, you can also find links to all the prior blogs in this series.

Security remains a top cloud concern

It seems like no matter what research study you pick up that involves the cloud, security is always a top concern. I’ve been tracking this for many years now and while there is plenty of evidence that the public cloud isn’t inherently more or less safe than an on-premises environment, every year security makes the list.

The duality of security

Fundamentally doing security well, whether in an on-premises environment or in the cloud, is extremely challenging. It is part of nearly every process and there is some security capability built into almost every technology used in the data center or the cloud. Security is the poster child for needing to coordinate across people, process and technology.

From a people perspective, everyone has some level of responsibility but no one person can be fully responsible for everything that must be done to ensure that applications and data are safe. And seemingly small things can put an entire organization at risk.

The shared responsibility model that exists in the cloud makes things even more challenging. Managing a multi-cloud environment takes this a step further and increases the scale and complexity challenges of the cloud by orders of magnitude.

So where to begin?

The first step in being able to implement the right security practices for a single cloud or a combination of clouds, starts with having visibility into the security posture of the organization across all apps, and across all environments. Teams need the ability to understand their security posture at both highly summarized levels as well as the ability to go deep as needed when higher level summaries indicate there are deeper problems.

Teams also need to have technologies in place that focus on collecting massive amounts of data, analyzing that data and then distilling that data into insights about the risk the organization faces. And you need to be able to this in as near real time as possible. Finally, you need the ability to take automatic action to remediate the most concerning risks.

Taking stock of where you are

Making sure that you can secure the applications and data you run in a multi-cloud environment is a critical area of capability. As such it is important to assess where you are today and then move to develop strategies that will increase your capability over time.

Below is a set of capabilities related to security that should be considered when assessing your level of maturity.

The ability to get real time visibility for most cloud-based apps into security and compliance posture based on best practices and/or industry standards.
The ability to get real-time alerts for most cloud-based apps for security events, changes and risks.
The ability to prioritize security violations based on quantifiable risks to cloud based apps.
The ability to automatically remediate a large number of potential risks based on access, app, infrastructure or any other type of resource misconfiguration.

In terms of assessing multi-cloud maturity in this area, organizations should first work to define a minimal set of standards that must be adhered to across all teams. Related to this, there is a minimum level of visibility that teams should work to achieve in order to execute on these standards.

Building for the future

Once a baseline is established, teams can then focus on how they can increase maturity by leveraging ever increasing levels of automation to:

Establish operational guardrails that keep app dev and operational team members from getting into trouble in the first place
Prioritize issues based on the relative risk of discovered problems
Remediate discovered issues that pose a level of risk that it too great to wait for any form of human intervention