Addressing cloud sprawl: Combining security best practices with business foundations
The rate of cloud adoption has been nothing short of remarkable. According to IDG, 90% of organisations will have some portion of their applications or infrastructure running in the cloud this year, with the rest expected to follow suit by 2021. And while most organisations currently run more than half (53%) of their business on traditional networks, IDG also predicts that this will drop to less than a third (31%) within the next year or so.
The largest segment of the cloud market is IaaS. Forrester forecasts that the six largest public cloud providers (Alibaba, AWS, Azure, Google, IBM, and Oracle) will only grow larger in 2019, while Goldman-Sachs also predicts that they will consolidate IaaS, controlling 84% of the market within the next year.
However, while IaaS and PaaS are starting to consolidate, they are only part of the cloud phenomenon. Cloud-based storage and SaaS are markets that are also growing rapidly, and nearly every organisation on the planet participates in one or more of these whether they know it or not. In addition to big SaaS players like Salesforce, according to Gartner, shadow IT now represents 30 to 40 percent of IT spending in large enterprises.
The security challenge of cloud sprawl
For many organisations, the lure of the freedom and flexibility of the cloud has caused them to adopt and deploy solutions before they have put a comprehensive security strategy in place. In fact, the majority of cloud-based spending in organisations bypasses the CIO, as lines of business are increasingly making decisions for implementing some form of cloud solution within an organisation. According to IDG, 42% of organisations now have a multi-cloud deployment in place. And yet, most organisations do not have a unified system in place for monitoring, managing, or securing these resources.
Failing to address the security challenges of cloud sprawl puts your organisation at risk. For example, Gartner predicts that by 2020 a third of successful attacks experienced by enterprises will be on their Shadow IT resources. Getting out in front of this challenge requires security teams to develop a two-pronged campaign that focuses on human intervention and the adoption of new technologies.
The human approach
Security leaders need to lead an internal PR campaign that educates leaders and users alike on the risks associated with freewheeling cloud adoption. The CIO and his leadership staff need to regularly meet with board members, C-suite leaders, and directors of lines of business to engage in business strategies that include the adoption of cloud services. The challenge is to establish yourselves as enablers rather than someone looking to restrict business opportunities.
Individuals and groups looking to adopt new cloud services usually have very good reasons for doing so, and your job is to help them get to yes without putting the organisation at risk. This involves understanding their requirements and objectives, informing them of the range of solutions already available or that can be easily integrated into your existing IT strategy, and educating them about risks that could negate any business advantages. This requires a lot of listening, trust building, and diplomacy—all soft skills that today’s security leadership team needs to possess.
The technical approach
In addition to working directly with business decision makers, there are a range of solutions that organisations need to put in place to control the security issues arising from cloud sprawl.
- Integrate your security tools: The most essential, baseline components are having a security policy in place that covers cloud, and having security tools in place that enable you to see, control, and respond to security threats even as the network they are defending evolves. Broad deployment, deep integration, centralised management and orchestration, and coordinated threat response needs to span the entire network—including those cloud elements of which you may not even be aware
- Leverage native cloud controls: Bolting a security solution onto a cloud environment does not ensure that protections will be sufficient or consistent. Look for security solutions that are fully integrated into the cloud environments and that use native controls to manage and secure cloud data and transaction
- Integrate cloud security using connectors: Security features and functions do not always operate consistently in different cloud environments. This can leave gaps in coverage and critical blind spots that cybercriminals can exploit. Cloud connectors designed specifically for each of the different IaaS vendors enable organisations to quickly and easily deploy cloud-based security solutions that can ensure consistent visibility and control across a multi-cloud deployment
- Implement logical (intent-based) segmentation: Secure segmentation solutions allow you to isolate resources and transactions based on a wide range of parameters, and include a range of segmentation approaches, including VLAN-like segments, micro-segmentation, and emerging macro-segmentation. Ideally, segmentation should allow you to dynamically establish a secure environment for a variety of use cases, and that can span from the originating devices—whether servers, mobile applications, or IoT—across the distributed network, including multi-cloud environments. In the cloud the traditional network constructs don’t necessarily exist – and there is a need to leverage cloud resources information and meta-data in order to associate policy with the application builder intent
- Establish strong access controls: Any device, application, transaction, or workflow looking to interact with cloud infrastructures and applications needs to be analysed, processed, secured, and monitored. Recent advances in Network Access Control provide an extra layer of security without unnecessary overhead to secure the network and resources from transactions that need to join or move laterally across the network
- Deploy a CASB solution: Cloud access security brokers (CASB) provide visibility, compliance, data security, and threat protection for any cloud-based services being used by an organisation—including the discovery of Shadow IT. A CASB solution should be able to provide insights into resources, users, behaviors, and data stored in the cloud, as well as advanced controls to extend security policies from within the network perimeter to IaaS resources and SaaS applications
Cloud computing based networking is utterly transforming how organisations operate and conduct business. But without comprehensive security policies and solutions in place, combined with a corporate climate committed to proactively protecting cloud-based assets and organisational resources, cloud adoption can introduce more risk and overhead than most IT teams can absorb.
To address this growing challenge, security leadership teams, beginning with the CIO, need to start now to foster a climate of business-focused enablement across the organisation, combined with an integrated security foundation that enables rapid and automated policy enforcement anywhere across the distributed network.
Read more: Gartner’s latest Magic Quadrant shows the need for cloud access security brokers going forward
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.