In May 2019, the Cloud Security Alliance published an eBook entitled Cloud Security Complexity: Challenges in Managing Security in Hybrid and Multicloud Environments. The eBook concludes by recommending organizations take advantage of automation in order to better manage security in complex cloud environments.
The Cloud Security Alliance is a non-profit organization whose mission is “to promote best practices for providing security assurance within cloud computing”. As part of its efforts to provide education on the best ways to use cloud computing securely, the organization certifies Cloud Service Providers (CSPs) with a Security, Trust & Assurance Registry (STAR) rating. Most major CSPs have achieved at least Level 2 of the STAR rating, which means they have passed a rigorous assessment of their security measures.
The STAR ratings confirm what CSPs have been saying since the dawn of cloud computing—that the cloud is secure. However, whereas the cloud is secure, the way in which it is used often isn’t. There are many examples of businesses deploying applications with vulnerabilities, failing to secure data, or not putting sufficient controls in place to prevent unauthorized activities.
Why is security in the cloud so complex?
The reasons why security in the cloud is so complex vary according to the source. Whereas some sources claim cloud security is complex due to the speed at which the cloud is evolving, others attribute cloud security failures to a skills shortage, shadow IT, or a lack of visibility. Both sets of reasons for cloud security complexity are viable. If businesses can’t train staff fast enough, control staff fast enough, or see what their resources are doing fast enough, there’s going to be problems.
The situation is exacerbated by the trend towards hybrid and multicloud environments. Although statistics relating to hybrid cloud adoption should be treated with caution, there is evidence to suggest more businesses are adopting multicloud strategies in order to take advantage of a wider range of services and more opportunities to optimize costs and performance. This creates a scenario in which multiple clouds are evolving quickly, requiring faster training and faster control to enhance security.
What does the CSA have to say about cloud security complexity?
In the CSA’s eBook—Cloud Security Complexity: Challenges in Managing Security in Hybrid and Multicloud Environments—the organization discusses the issues experienced by seven hundred businesses surveyed earlier in the year. In addition to the reasons given above for security in the cloud being so complex, the organization notes many businesses struggle to keep ahead of changing compliance requirements, such as the EU’s recently introduced General Data Protection Regulation (GDPR).
The eBook concludes with four recommendations for reducing cloud security complexity:
· Architect your cloud environment to make best use of CSPs’ cloud security tools.
· Understand how the shared responsibility model works and your security obligations.
· Detect misconfigurations and other security risks in the development pipeline.
· Take advantage of policy-driven automation to reduce cloud security complexity.
With all due respect to the wisdom of the CSA, re-architecting existing infrastructure is likely to be an implausible solution for many businesses. However, the other three recommendations are easy to implement quickly.
Understanding the shared security model will help businesses better understand what areas of cloud security they are responsible for, integrating continuous verification into the development stage is a simple procedure, and there are a number of cloud management platforms on the market with policy-driven automation capabilities—although, when your business operates in a multicloud environment, it is important to ensure the platform supports the clouds you operate in. Not all do.
Why policy-driven automation is the most effective solution
Of the three “plausible” solutions, policy-driven automation is the most effective for reducing cloud security complexity. This is because, although having an understanding of the shared responsibility model is a good thing, it probably only makes you aware of the level of complexity you have to deal with; and, although misconfigured resources is now one of the leading reasons for security failures in the cloud, automating security best practices removes much of the complexity of cloud security so you can focus on areas not covered by best practices.
Cloud management platforms with policy-driven automation capabilities can help prevent, resolve, or mitigate the majority of cloud security threats—whether they are attributable to the unauthorized use of cloud services or the misuse of authorized cloud services. They can be configured to notify administrators of minor security issues in need of investigation, or to initiate actions that (for example) terminate non-conforming resources or revoke user access in the event of suspicious activity.
To find out more about policy-driven automation, the type of policies you can apply, and the type of actions platforms can be configured to perform, you are invited to download and read our eBook—“6 Policy Types for AWS Governance” — which provides examples of security policies that can be applied to any single, hybrid, or multi-cloud environment.
