If you’re using cloud services to do your work, you probably appreciate the convenience, flexibility, and speed of those services. A lot of people, companies, and analysts agree with you! But whether you’re a business leader or an IT security professional, you’re probably aware that improper cloud usage poses serious security issues that can often counteract cloud benefits.
As the cloud market enters a mature stage, it’s becoming quickly apparent that traditional manual/semi-automated security paradigms are not effective on the cloud. The cloud carries immense business value for companies, but it is double-edged in that its flexibility and scalability produce many more configurations that impact your security posture (compared to non-cloud services).
For example, a decade ago, you could afford to fix vulnerabilities in your IT environment once a quarter when audits were conducted. That’s because you typically had more physical control, fewer workloads, and less platform diversity in your traditional IT environment. You could therefore get away with controlling only the highest priority security settings (on the order of 100s). But as companies adopt the cloud to address an age of faster and larger digital operations, you can no longer get away with using the same traditional security paradigms.
Cloud adoption also introduces the idea of the shared responsibility model: cloud providers take on responsibility for the security of the cloud’s physical infrastructure, but are not responsible for the security of your workloads in the cloud. Throw in the sheer number of security settings you need to manage (on the order of 1000s in the cloud from more workloads), and suddenly you find you’re unable to keep up. Many companies we’ve spoken to have mentioned that they fix only the highest priority settings once a quarter (when audited), fix about 40% of the medium priority settings, and rarely get around to fixing the lower priority settings. But with so many settings and so many servers, your attack surface is much bigger than it used to be – and just one of those settings can be all it takes to allow a breach. So what’s a company in the cloud age to do about security?
The answer is proactive and automated cloud security.
Let’s see why these two elements are essential to securing your workloads in the cloud.
Why is proactivity essential to cloud security?
A large number of short-lived workloads in the cloud can cause attack surface to grow exponentially. Because of this, it’s no longer acceptable to just have a reactive approach to cloud security (e.g. fixing vulnerabilities only once a quarter when audited, or in response to a breach). To protect yourself in the cloud, you need to be continuously and consistently managing your security configurations throughout your environment. Proactive security also has the benefit of aligning your business goals with your security initiatives. Instead of inhibiting your work (like many after-the-fact security practices), proactive security actually enables your work by continuously ensuring the protection of your activity and data. When you align your security posture with your business objectives, you are truly protecting the core entities of your business: your employees, customers, and data.
Why is automation essential to cloud security?
Simply put, automation enables proactivity on the cloud. Both the short-lived nature of workloads in the cloud, and the sheer number of workloads across clouds and lines of business, mean that humans cannot manage cloud security manually or semi-automatically. The only way to continuously and consistently secure your work in the cloud (that is, diminish your attack surface) is through full automation. We’ve seen that security automation can account for 80-90% of attack vectors in the cloud. Automation also has the benefit of drastically reducing the costs associated with manual or semi-automated cloud security practices. That frees you time and money to put towards achieving your business goals.
To summarize, your cloud security posture must be proactive and automated for you to get the best business value from the cloud, while protecting your business and avoiding ridiculous security complexity/costs.
The cloud age is now, and you can take advantage of it without letting security get in the way – proactivity and automation are the keys. Feel free to send us questions or comments, Cloud Raxak will be happy to address them and help you securely leverage the cloud for your business!
Click here to read a perspective from Malcolm Harkins, security expert and Chief Security and Trust Officer at Cylance, on why proactivity and automation are essential to cloud security.