As cloud customers enter 2023 with an increased presence in multicloud, they are prioritizing strategies to combat emerging gaps in cloud security.
Most large companies are accessing cloud services in several public clouds, while retaining enterprise systems and private clouds in their company’s data centers. Many are using at least two cloud service providers (CSPs), and some are using five or more CSPs as they build out their hybrid cloud or multicloud environment.
Few enterprises can say they’ve been untouched by cyberattacks and ransomware over the last two years. These attacks become apparent — sometimes months after they began — when access to data becomes blocked, or when data loss becomes apparent.
Recent attacks affected a major U.S. city, a large city’s school district, and a New York municipality. That’s why cyber-resilience is top-of-mind for chief executive officers (CXOs) and IT professionals — not only in the largest enterprises but also government agencies and small and midsize businesses (SMBs).
The problem is widespread: An IBM study of more than 3,000 IT and business professionals found that 83% of customers reported there had been data breaches in their organization and that 45% of those breaches were related to cloud deployments.
The average cost of a data breach is $4.5 million, and the financial cost is often higher in the United States, reaching as much as $9 million per breach for attacks in the financial and health-care sectors, the IBM study respondents reported.
Also see: Top Cloud Companies
Cloud Security Gaps Have Paced Customers’ Cloud Adoption
As cloud migrations accelerated from 2020 to 2022, driven by the onset of the COVID-19 pandemic, enterprises were seeing gaps in cloud security emerging. Now, because many organizations have multiple cloud deployments, it’s the gaps that are getting more and more attention.
These gaps in cloud security create inconsistent security code, monitoring, and security practices and must be addressed to operationalize end-to-end cloud computing.
“Companies need to do defense in-depth,” said Cal Braunstein, CEO and executive director of research at the Robert Frances Group. “You can’t count on everyone using the same security practices, and so it creates gaps.”
Ways to Lessen the Cloud Security Gap
In a multicloud world, security provisions across a large enterprise can be improved by using integrated consoles, adopting standards, using AI-based software tools for development, and security monitoring software that provides an end-to-end view.
Compartmentalization, as a practice across the enterprise, can provide a good security defense in cases where there are inconsistent cloud-security policies in an enterprise network, Braunstein said.
“If you have a fire in a house, the whole house can go into flames,” Braunstein said, using an analogy for the practice. “If you have a fire in a submarine, you can compartmentalize, closing off the area that has the fire and containing the fire to limit the damage.”
Closing the Cloud Security Skills Gap With Education and Training
Factors causing security gaps include:
- Technical debt due to aging IT systems.
- A poor fit between enterprise applications and a new generation of cloud-native applications.
- Different implementations of security and compliance policies.
- Shortages of the AppDev skill sets needed to rewrite old code that would bridge some of the security gaps.
To close the gaps, security strategies must be aligned across the company’s business and IT organizations, providing end-to-end security solutions across the entire organization.
In a recent eWeek podcast, IBM executive Varun Bijlani, global managing partner and leader of IBM Consulting’s Hybrid Cloud Transformation team, said an IT skills gap is affecting cloud migration in a hybrid cloud world.
After the first wave of cloud migrations, many customers started scaling up, Bijlani said, but found that “architectural complexity, a lack of talent and security, and compliance issues were starting to hold them back.” According to Bijlani, key job titles needed include cloud architects, microservices developers, and data engineers.
“Most companies simply do not have enough of the talent they need,” said Bijlani.
This shortfall in IT skills directly affects cloud security, and it is showing itself in industry research. A 2022 IDC study found that customers in North America and worldwide are planning to improve their team’s technical and operational skills to increase cloud security protection and cyber-resilience.
Phil Bues, research manager for IDC Cloud Security, said many customers want to move quickly to reduce cloud-security gaps. The challenge is growing because cloud-native applications are increasingly running alongside traditional enterprise applications built for the data center, which must be modernized.
“The current global cybersecurity paradox of complexity and security is [being] met by the accelerated rise to a digital-first world, led by ‘shift left/shift right’ approaches and tools, context-rich visibility, zero-trust access, and the talent gap,” said Bues.
IDC’s cloud security research found that, of 250 customer sites in North America:
- 35% of respondents plan to improve in-house cloud-security skills.
- 30% plan to improve in-house data privacy skills.
- 28% want to have better cloud-based data resiliency skills.
- 20% want to leverage better DevOps methodologies.
- 22% want to improve contract management with the cloud service providers (CSPs) supporting their cloud deployments.
IDC found that training, re-skilling, and education will address the skill set shortages associated with today’s cloud security gaps. IDC’s worldwide sample of 800 sites, published in July 2022, showed customers are taking many paths to improve cloud security, by using:
- Data-privacy skills (26.7%)
- Cloud-based data resiliency skills (25.7%)
- Cloud security skills (24.1%)
- Wider familiarity with multiple CSPs (22.1%)
- More cloud-native application development (20.5%)
“The rules of the software code protections game are simultaneously changing as applications move from monolithic to microservices-based, linking hundreds or even thousands of loosely coupled services that are dynamic, ephemeral, and highly distributed,” Bues said. “More complexity is also accompanied by a richer metadata context, providing different opportunities for anomalous behavior detection” in the enterprise.
Also see: How Database Virtualization Helps Migrate a Data Warehouse to the Cloud
Business and IT Must Agree on the Security Plan
Alignment across business units and agreement on shared goals by business and IT executives must happen first when multicloud projects are in their first phases. Bonnie Titone, CIO of Duke Energy Corp., speaking at the AWS re:Invent conference, said it’s vital for business and IT executives to identify priorities for cloud security before embarking on big multicloud projects.
“Go slow to go fast,” Titone cautioned. “When you take these decisions to make a cloud move, it’s always about moving fast, and that’s great. But, you have to take the time at the beginning to make sure that you’ve built the right foundation.
“There’s this minimal security baseline you have to work towards. But when it’s critical [energy] infrastructure, you have to go way above compliance.”
Duke Energy and AWS recently announced a co-development project for next-generation cloud deployments.
“Study best practices,” Titone told the re:Invent panel. “We’re using DevSecOps to go on the [cloud] journey, so we can build cloud-native [code] and secure it from the get-go.”
Customers must do more to take cloud development and cloud security to the next level, said Rudy Pawul, vice president of information and cybersecurity services at the ISO New England utilities group.
“Amazon is going to secure the cloud, but you’re in charge of your whole environment,” Pawul told the re:Invent panel. “So, I wouldn’t do anything in the cloud that I wouldn’t do in my own on-premises environment, as far as lack of tools, instrumentation, visibility and common network security principles.”
Planning and testing for cloud security are vital, Pawul said: “Certainly, taking your time in building out your environment before you’re depending on it for any of your production workloads is key. Otherwise, you’ll get yourself in trouble.”
Consistency is Key for Cloud Security
To close the cloud-security gaps, security strategies and implementations must be aligned across the company’s business and IT organizations, providing security consistency across the entire organization. Many enterprises plan to strengthen data protection, improve application development with low-code/no-code software, and add security “guardrails” — practices to provide greater cloud security in 2023.
“We’ve seen a lot of cloud migrations, but now we’re going to see a focus on shifting from easy [cloud] migrations to the core applications, the core workloads of the enterprise,” Bijlani said. “The applications will straddle multiple environments, but the architecture will be far more efficient, going forward.”
Many companies are turning to software vendors and consulting partners to speed up the work needed to improve cloud deployments for enterprise applications. It will take a combination of IT skill sets, software, AI/ML tools, management automation, and enhanced security policies to improve their cyber-resilience in a multicloud computing world.
Jean S. Bozman is president of Cloud Architects, a market research and consulting company based in Palo Alto, California.