Implement Cloud Security Tools Now, Not Later
Two-thirds of organizations use the cloud to hold sensitive data or workloads, but there is a lingering lack of confidence about the ability to protect that information, according to research from the Cloud Security Alliance.
And while more than a quarter of these organizations are using confidential computing to protect this sensitive information, more than half of the survey’s respondents said they plan to implement this security technology within the next two years.
But that’s too long to wait, according to Ameesh Divatia, co-founder and CEO of data protection company Baffle.
“With the majority of organizations now processing and sharing data in the cloud, the importance of continued protection of the data—in use, at rest and in transit—is critical,” Divatia said in a formal statement. “It’s very encouraging that the survey indicates companies intend to implement confidential computing and homomorphic encryption, but the low level of confidence 81% of respondents have in their current ability to secure data is concerning.”
Why Are They Waiting?
When asked why CISOs and cloud security teams aren’t moving faster to implement confidential computing or other security tools, Divatia said in an email interview that resources, particularly available security talent, are limited, making it difficult to keep up with the speed and amount of data and applications moving to the cloud.
“Implementing currently available security controls often requires changes to applications, which may not be possible with commercial, closed-source solutions. Although these challenges made identity and infrastructure the early focus for CISOs in cloud security, that focus is shifting to data security,” Divatia stated.
With digital transformation and the pandemic forcing organizations to move more data and resources into the cloud, CISOs are still trying to better understand their cloud security posture and these tools enable them to do exactly that, according to Aaron Cockerill, chief strategy officer at Lookout.
“The only reason implementation is slow is because of the lack of familiarity with configuring these controls,” said Cockerill in an email interview. “If you think about it, CISOs need to configure applications such as Workday, Salesforce, Office 365 and all the other hundreds of SaaS apps every organization relies on today. If you implement a cloud security tool like a cloud access security broker (CASB) across all these apps, the task of configuring these individual apps is massively simplified.”
Controls to Implement Today
The security reality that CISOs and security teams face, no matter where their information is kept, is that data has been rising in value to both the organization and to threat actors while modern attack vectors keep changing and shifting. The most immediate need in cloud security is controls that will protect data in use and in rest.
“Back when everything was located in a data center, you had tools that protected your perimeter such as firewalls, DLP filters and VPNs,” said Cockerill. “In this new cloud-driven world, you need to replicate these security tools that you once had with the traditional security perimeter and transition them into the cloud. What Gartner refers to as security service edge (SSE) is essentially a framework that consolidates these tools from the traditional security perimeter and transitions them into the cloud.”
If you don’t know where to begin with your cloud security tools, start with the basics, said Davis McCarthy, principal security researcher at Valtix, such as securing the cloud user’s accounts with 2FA and subscribing to the idea of least-privilege permissions.
“Harden the environment by architecting a secure cloud network, building layers of defense into critical workloads–especially when there is a lack of visibility,” McCarthy said.
Protecting data at the record level is the essential control for security in the cloud, and CISOs should be focused on implementing controls they have confidence in now, not in one to two years, Divatia added.
“Proper security controls not only protect against costly and damaging breaches but remain a valuable competitive differentiator for businesses.”
