Achieving security in the cloud is far from easy. Learn why that is, and how to fix it.
It appears cloud proponents can declare a victory. A recent survey by RightScale Inc., a cloud portfolio management service, suggests more than 90% of businesses are using some form of cloud technology.
Those pushing cloud services will admit it has been a long, hard fight, with the primary reason for slow adoption being a concern for security. "If your firm uses cloud services, ultimately, your organization is responsible and liable from a legal perspective for protecting your customers' data -- it's not the cloud provider's liability," from the Forrester report Sizing The Cloud Security Market. And being responsible for something controlled by a third party tends not to sit well with upper management.
"Sometimes it feels like achieving security in the cloud comes with more roadblocks than a presidential motorcade on Election Day," says Venkat Pothamsetty, vice president of products and customer advocacy for Threat Stack. "As platforms, devices, and compliance requirements proliferate, picking the right tool(s) for your particular company and industry turn into a complicated ordeal."
To prevent C-Level misgivings from becoming real-world angst, Pothamsetty in his Business 2 Commentary Are Any of These 6 Roadblocks Standing in the Way of Your Cloud Security? discusses six areas that analysts at Threat Stack believe companies new to cloud services or those experiencing issues need to consider. Besides pointing out the roadblocks, Pothamsetty offers suggestions for overcoming them.
The roadblocks and the fixes
1: After the fact
In their rush to cloud services, businesses are forgetting to ensure the security of the company's information and infrastructure, as the data is somewhere else now.
The fix: Pothamsetty suggests a cloud security strategy should be an integral part of any cloud-transition planning or in-house cloud service policies. He adds, "By starting with a plan, you can focus on investing in a security solution that will monitor and protect your entire infrastructure versus scrambling after the fact to deal with the latest zero-day threats."
SEE: Cloud Data Storage Policy (Tech Pro Research)
2: Incomplete picture
Pothamsetty feels that most threat detection systems currently used for cloud security are not all encompassing, meaning multiple systems are needed to do the job properly.
The fix:What's needed is a process/system integration tool that pulls all the various inputs into a manageable real-time narrative available to and understandable by those responsible for making decisions.
3: Fragmented solutions
Not only is threat detection fragmented, most defense systems are also single-purpose solutions.
The fix: According to Pothamsetty a management system that integrates every facet of cloud security is required. He adds, "It's at this level that companies can finally eliminate the complexity, time, and expense it takes to manage the security of their cloud."
4: Operational inefficiencies
Besides fragmentation within cloud security systems, Pothamsetty and analysts at Threat Stack bump into problems when trying to meld cloud security systems with DevOps tools and business systems in on-premise, private, and public cloud environments.
The fix: The solution involves:
- simplifying complex deployments;
- automating manual processes; and
- alleviating operational bottlenecks.
"Whether you're running entirely in the cloud, in the process of migrating, or have a hybrid environment, your security posture needs to be flexible," mentions Pothamsetty. "A solution that integrates across environments and scales with you as you grow is necessary. For without this single pane of glass, you cannot achieve a unified view of your entire infrastructure."
5: Complex, expensive solutions
Due to the newness of cloud services, cloud security solutions tend to be generic systems with required tools (audit trails, access controls, intrusion detection) added as afterthoughts. "Today's fast-moving, high-growth companies recognize this isn't sustainable," writes Pothamsetty. "Cloud security needs to be as streamlined as possible."
The fix: Pothamsetty suggests starting over with a solution built specifically for the cloud, adding that cloud-only solutions are flexible enough to scale capacity to meet the needs of the company.
SEE: Cloud forecast: Trends from RightScale's annual surveys (Tech Pro Research)
6: Lack of content correlation
Companies must protect business and customer data even though the information traverses several disparate data repositories -- something not always taken into account.
The fix: "By automating the data correlation process, your team can elevate their focus from detection to resolution," writes Pothamsetty. "Eliminating these tedious tasks, you'll gain the clearest and most seamless understanding of the threats to your cloud infrastructure."
Tactical security vs. a strategic-first approach
To summarize, Pothamsetty feels companies currently opt for what he calls tactical security. "Throw a product or feature at the security problem and move on," he writes. "But using an ad-hoc approach like this, there is little to no focus on the big picture -- certainly there's no comprehensive strategy."
Pothamsetty continues, "Starting at the strategy level allows companies to invest in security platforms that support their entire infrastructure rather than cobbling together single point solutions."