Does your cloud stack move faster than your cloud security solutions?
According to Gartner, worldwide end-user spending on public cloud services is forecasted to grow by 18.4% in 2021 to a total of $304.9 billion, up from $257.5 billion in 2020.
“The pandemic validated the cloud’s value proposition,” said Sid Nag, research vice president at Gartner. “The ability to use on-demand, scalable cloud models to achieve cost efficiency and business continuity is providing the impetus for organizations to rapidly accelerate their digital business transformation plans.”
From the earliest stages of the cloud, the ability to create a server instantaneously, without the need for installation, maintenance, and management attracted forward-thinking adopters. Today, the continual growth of cloud computing may well be our generation’s biggest success story, with Forrester predicting that cloud-native is the route to powering digital transformation in 2021 via serverless, containers, and Kubernetes.
However, new technologies require new skills and knowledge, and with the kind of lightning-fast pace of change we see in cloud computing, it’s easy to understand how blind spots and vulnerabilities slip through the net. After all, security in cloud environments is a far cry from securing on-premises infrastructure.
Understanding cloud security risks
Over the past decade, we have seen tremendous growth in both public and private cloud adoption, but the landscape is far from simple. Think about the diversity of requirements, best practices, and architecture for the following three categories, just to start:
- IaaS: From the “Big 3” – AWS, Azure and GCP – to Alibaba Cloud, and Oracle Cloud.
- PaaS: AWS Elastic Beanstalk, Heroku, K8S, Cloud Foundry, Apache Mesos, etc.
- Side technologies: In this category, let’s include technologies such as Terraform and AWS CloudFormation for provisioning infrastructure and IaC, or Chef for cloud migration.
Let’s dive a bit deeper in just one of these examples: Cloud Foundry is a Platform-as-a-Service that is used to deploy, scale and manage stateless applications in any framework. To utilize Cloud Foundry effectively, DevOps, security, and R&D all have to understand the multi-tenant identity management service UAA, the Cloud Controller for directing the deployment of applications via REST API endpoints, and also the rules and best practices around service deployment.
Here’s another example: for Kubernetes, the team needs to grasp the concepts of Master, Node, Pod, API Server, RBAC management, and more. Unlike in development, where a talented Java developer can quickly get a basic understanding of new programming languages based on C# or Python, cloud technologies are completely different from one another, without any real overlap in their learning curve.
In terms of achieving secure cloud services, to stay on top of this crowded landscape we’re expecting today’s teams to be nothing short of superheroes.
Don’t let cloud security become a hurdle to innovation
With such a great deal to learn and so much complexity involved in each and every element of the cloud technology stack, something has to give. To keep up with today’s fast-paced digital transformation landscape, DevOps and IT can’t afford to wait. Of course, they are aware that they don’t have full visibility into every change that they’re making. But the expectation is too large, and so security falls to the bottom of the priority list.
The #1 issue here is cloud misconfigurations, which are a direct result of the lack of visibility. DevOps and IT, often through no fault of their own, don’t have enough knowledge or control over the IAM roles and policies that they are enforcing, and this leaves them with gaps and blind spots that could expose assets to potential threats. In some cases, this also triggers a reactive troubleshooting mode, where over-permissive policies can occur due to allowing access to users and services in other accounts.
As the environment grows, and new configurations are put in place, it becomes increasingly unlikely that an organization can keep pace. DevOps can’t physically get visualization over a dynamic cloud environment that changes multiple times each week, and so they forge ahead, hoping for the best. Of course, to add to the challenge, new technologies are being created all the time that add yet more layers of complexity to operations.
This is exactly why Gartner predicts that “through 2025, 99% of cloud security failures will be the customer’s fault.” The cycle of human error might well be predictable, but it’s also impossible for a company to manually control.
Keeping pace with change: Cloud security solutions that allow for speed
The challenge is clear. Today’s cloud security products need to be able to facilitate the digital transformation landscape, and provide true visualization into a dynamic, cloud-native environment. Your DevOps and security teams should be able to work in tandem, with a single map of your whole network, including granular insight into potential attack paths at the earliest stages of cloud configuration.
To make this happen, forward-thinking organizations are looking for vendors who provide deeper and more granular visualization over a cloud-native environment. After all, how can you secure what you can’t see? Often, this includes advanced representations of your infrastructure, for example, utilizing graph-based visualization, which can go a long way to uncovering risks, as it presents the same view that the attackers have of your environment.
The bottom line is that rather than simply add a whole slew of alerts that adds confusion and fatigue, businesses need to know about the vulnerabilities that actually translate into real-world threats, alongside the quickest route to mitigation.
Security and Dev teams should make this their focus in 2021, getting better visibility into the attack path, and thereby reducing their notifications down to critical cloud risk vectors according to business context. Only this can provide ultimate peace of mind that however fast the organization moves, security is keeping pace.