Fast Pace of Cloud Adoption Leaves Security Lost in the Wind
The pace of change in technology is so fast that businesses are barely able to implement the newest solutions before they are replaced by newer and more advanced technologies. An even greater challenge for enterprises, though, is the rapid pace of cloud adoption. As cloud kicks into high gear, security can’t seem to get around the bend fast enough, according to the 2019 State of Hybrid Cloud Security Survey, published by FireMon.
To understand the common practices of security professionals who are maintaining network security across hybrid cloud environments, FireMon polled more than 400 infosec professionals. The results of the survey revealed the top three concerns for participants include the misalignment of cloud business and cloud security, a challenge compounded by the fact that existing security tools can’t handle scale and complexity. Perhaps at the root of these two issues is the challenging reality that solutions to these problems are hindered by a lack of security budget and resources.
In fact, 60 percent of respondents either agree or strongly agree that cloud-based business strategies are moving faster than the security teams are able to secure them. The pace of advancement is not the sole problem, though. The survey also found that nearly half (44 percent) of the teams responsible for cloud security are actually outside the security team (i.e. IT/cloud teams, application owners or other teams), which continues to handicap cloud security.
“The survey results reveal several key challenges for organizations. We see rapidly expanding attack surfaces developing across dynamic hybrid environments,” said Tim Woods, VP of technology alliances at FireMon.
“Security initiatives are being explored, such as Zero Trust leveraging microsegmentation and other next-gen technologies, but organizations are constrained by the required visibility,” he continued. “This lack of visibility into assets, applications and resources across the hybrid infrastructure is a real problem. If you don’t have a clear picture of what assets are on your network, it becomes increasingly difficult to protect them.”
Why Security Can’t Catch Up With DevOps
The heightened pace of DevOps has improved security operations for 44 percent of survey respondents; however, the relationship between security teams and DevOps remain either complicated and contentious for nearly a third (30 percent) of respondents.
“Business and DevOps teams are prioritizing speed-to-market over security, deploying apps and taking self-responsibility for implementing their own data security controls. This introduces unnecessary security and compliance risk,” Woods said.
“We see a perfect storm scenario emerging as organizations struggle to determine who has responsibility for cloud security—IT/security teams, DevOps personnel, app owners, business teams, etc.—and they lack the integrated tools and personnel needed to holistically manage and secure their hybrid cloud environments.”
In many cases, business requirements have advanced beyond the IT teams’ ability to secure them, particularly because respondents are challenged with a lack of visibility, training and control. A large majority (57.5 percent) of respondents admitted that not even a quarter of their security budget is dedicated to cloud security.
Collaboration Beyond Compliance
“It’s time we move security to the front burner ‘by design and default’ and equip companies with the tools they need to secure their hybrid environments, and intent-based security allows us to do just this,” Woods said. “Intent-based security unites business, DevOps and security teams by enabling them to collaborate on a global security policy.”
While personnel outside of security often determine the business intent of applications, security personnel should be the ones to define the security and compliance intent so that all three are aligned. When aligned, it is more likely that the needs of all parties can be met by fully automating policy changes.
“IT security teams are no longer mired in rule writing and manual processes, next-gen technologies and processes can be leveraged without added risk, and security can finally move at the speed of business,” Woods said.
However, the longer businesses wait to make security a priority, the more security debt they are likely to incur. “Achieving network visibility and mastering global policy management are essential to maintain continuous security across the hybrid enterprise, and intent-based security is the model that allows organizations to achieve both successfully, easily and cost-effectively,” said Woods.
