Enterprises continue to move their IT environment to public clouds with infrastructure, platforms, and/or software as a service (IaaS, PaaS, SaaS). Those organizations are finding the shift to cloud computing requires a different set of skills and knowledge to deal with the complexities of securing a cloud environment. “You can’t perfectly translate everything you do in a physical data center or security role into cloud security,” says Gerry Wollam, Senior Cybersecurity Solutions Architect at Sayers.
Understanding the challenges and priorities of cloud security can help you map a smoother path to the cloud for your organization.
Why Organizations Struggle With Cloud Security
One of the biggest challenges businesses face in moving to the cloud is knowing what cloud security tools and technologies they’ll need. A Palo Alto Networks study, The State of Cloud-Native Security Report 2023, found:
77% of organizations struggle to identify what security tools are necessary to achieve their objectives.
As organizations increasingly develop and deploy applications in the cloud, the same study shows 72% of organizations report an above-average turnover rate in cloud security roles.
Rather than hiring dedicated cloud security talent, some businesses think their traditional data center or security teams can take on cloud security as additions to their jobs, despite the specialized skillsets needed.
The technical complexities of cloud security combined with a shortage of talent to manage it has led to related challenges including misconfiguration of security tools, failure to meet compliance requirements, and slower response to security issues.
According to the Palo Alto Networks study, 42% of organizations reported an increase in the mean time to remediate cybersecurity incidents and threats after moving to the cloud.
What Tools And Technologies Address Cloud Security Priorities?
Hundreds of vendors offer solutions for cloud security, spanning IaaS, PaaS, and SaaS. As a result, many organizations end up deploying myriad point technologies that may or may not be part of a well-thought and comprehensive cloud security strategy.
Another common mistake is to assume one or two security tools will provide all the cloud security you’ll need. That’s a big assumption, given Gartner has identified the top five priorities for cloud security as:
- Data protection
- Application security
- Runtime security
- Vulnerability management
- Identity and access management governance
Mapping a strategy to your own organization’s priorities has to consider first how you’re using the cloud.
“It’s not always the same toolset for every use case,” says Ken Wisniewski, Sayers Senior Security Architect. “For example, the technology solutions to apply most appropriately to platform as a service are going to be different than those for infrastructure as a service with virtual machines. If you’re using cloud for IaaS, what are you doing around identity management and posture management? How are you handling workload protection?”
Those types of questions can lead to a deeper layer of inquiry and consideration for each cloud security priority:
- Data protection and application security. Moving to a cloud provider won’t automatically keep your applications and environment secure. “Native application security is available, but it has to be explicitly enabled and configured to work with whatever you’re putting out there,” says Chris Willis, Sayers VP of Cybersecurity and Network Engineering. “It will always be your responsibility to secure your own data and applications.”
Cloud-native application protection platforms (CNAPP) combine several security and compliance capabilities to secure cloud-native applications across the development and production lifecycle. This can provide the data to alert you, for example, if you have vulnerable configurations running in your cloud environment or are using a container with known risks.
- Runtime security. Cloud workload protection platform (CWPP) focuses on protecting any type of workload in enterprise environments, including physical servers, virtual machines, containers, and serverless workloads.
- Vulnerability and Posture Management. “Whether you’re talking about SaaS or PaaS, posture management for configuration maintenance is one of the primary conversations worth having as you move to a multi-cloud architecture,” Wisniewski says.
Cloud security posture management (CSPM) tools identify cloud platform configuration problems and compliance risks in the cloud, gauging them against a regulatory framework or a custom check you’ve created.
SaaS Security Posture Management (SSPM) includes API-driven integrations and focuses on areas including SaaS risk assessment, configuration drift monitoring, and security control automation. SSPM is an offshoot of cloud access security broker (CASB), which focuses on areas including compliance risks, adaptive access control, and threat protection.
- Identity and access management governance. Cloud-based identity and access management (IAM) ensures the right users access the right assets and resources, while preventing unauthorized access. Like data and applications protection, the responsibility for IAM governance falls on your organization, though cloud providers offer some IAM tools to help.
Wisniewski says:
“We need to understand where an organization is, what their objectives are, and what their future looks like in the cloud before we can recommend the right tech stack for their needs.”
For more about cloud security technologies, see A Guide To Cloud Security Technologies And Vendor Landscape.
How To Start
The complexity of securing your organization’s clouds might make you wonder where to start. A third-party cloud assessment, which Sayers offers, can identify gaps in your current infrastructure and security in the cloud. This becomes a first step before building out a roadmap to a more secure and agile IT environment for your organization.
Though not as comprehensive as a cloud assessment, our cloud security workshops are a no-cost option to consider.
Basic questions to ask even before conducting a comprehensive assessment include:
- What are you doing with the public cloud?
- How have you moved there? For example, a lift-and-shift approach from on-premise to cloud doesn’t recognize the complexity and differences inherent in cloud computing.
- What’s your cloud strategy, who’s responsible for that strategy, and are they being effective?
- How are you incorporating cloud-native security offered by cloud providers including Azure, AWS, and GCP as part of a broader cloud security strategy?
