Making the Right Cloud Security Investments
With more remote workers, there is a greater need for cloud computing services. With more cloud computing, there is a greater need for cloud security. An Exabeam study found that companies are moving their security tools to the cloud, but that raises the question: Are they right tools for cloud security? Or are companies under-investing in their cloud security systems?
“Many organizations waste billions of dollars on cybersecurity each year. This is due to a combined lack of strategic planning from leadership and an ongoing shortage of security talent,” said Matthew Rogers, CISO at Syntax, in an email interview. “However, investing in security products without knowledge of how to utilize them provides very little value and results in wasted budgets.”
The Biggest Security Issues in the Cloud Today
You can’t secure what you don’t know about. Your cloud environment will have different security challenges than your on-premises network. Because of the move to remote work, the attack surface has expanded significantly, Rogers pointed out, and an increased reliance on mobile and IoT devices has also increased the number of entrance points for cybercriminals.
“Moving a high-risk internal asset that previously had only been exposed to a few hundred devices to the cloud now exposes it to billions of devices, greatly magnifying the company’s security risk,” said Rogers.
Beyond the larger attack surface, Vishal Jain, co-founder and CTO at Valtix, said there are three areas of urgent concern:
- Maintaining comprehensive security – There’s a large variety of IaaS and PaaS offerings for each cloud, and taking a step in any direction from any cloud asset makes it internet-accessible both for attackers on the outside, or those who’ve moved laterally from other attack surfaces.
- Technical complexity – Every cloud provider has a vast array of services beyond IaaS, and even basic things such as networking creates complexity. For example: the core networking architecture has the same core concepts in each cloud, but is quite a bit different in details that matter when building reference architectures.
- Ensuring compliance – DevOps, app teams and line of business have a significant role in cloud architecture, and ensuring that all teams apply security policy best practices for each cloud asset/service is a new challenge. And, the perception that a cloud provider’s infrastructure is extremely secure leads some teams to take shortcuts in their implementations to achieve agility.
Using the Right Tools for the Right Problems
While many organizations are actively looking to consolidate their security tools, they still need to pick solutions that operate with cloud awareness.
“The trend on the operational side is towards service-based tools like cloud security posture management (CSPM) for compliance, and network security-as-a-service (SaaS) for runtime protections,” explained Jain in an email interview. He said these security services are winning out over legacy firewalls since they match cloud-native design patterns with API-based integrations into modern services like Datadog for monitoring, Twilio for messaging/alerts and Slack for DevOps integration. They also provide relevant cloud-specific information to SOC and incident response (IR) teams.
“Also,” he added, “security orchestration and automated response (SOAR) tools are getting better with plugin integrations, but these can’t be effective if the traditional policy enforcement tools are not providing relevant contextual data.” Yet, there are still a lot of people who think that the best way to approach security problems is to throw money at it – getting the most expensive or comprehensive security solutions, without ever looking to see if it is the right security tool for them and their cloud operation.
“IT leaders investing in cloud security systems need a plan for execution in place to see any return from the investment,” said Rogers. “Organizations must train their employees on remaining secure, especially while working remotely, as this lack of understanding of the technology only further wastes the company’s investment in security.”
Because there are so many complex tools and such a broad lack of understanding, organizations often fail to implement their cloud security plans successfully. Rogers advised organizations take these steps to ensure optimal cloud security while still efficiently allocating their budget:
- Conduct a risk assessment analysis that takes into consideration factors unique to the organization in order to uncover the company’s top priorities.
- Ensure that data protection is at the core of their security strategy. This involves training employees on safe security practices, such as utilizing strong and unique passwords, or avoiding clicking on unknown links.
- Develop and enforce consistent and repeatable access controls as a security standard for the entire organization.
Companies are in a massive cloud-driven shift that’s changing everything from app development to deployment and operations. IT and security teams must have the right solutions to meet their needs but that also are the right investment to protect their assets in the cloud.
