In the wake of the massive SolarWinds attack, which affected businesses around the world, a debate has developed about cloud security and whether the public cloud is a safer option than a hybrid cloud approach. However, rather than asking which cloud approach is more secure, we should ask ourselves what model we need to design security for. I believe technology leaders should design the way companies work today, rather than pigeonholing customers into securing one computing model over another.
The SolarWinds incident, for example, capitalized on the broad supply chain of technology providers that companies rely on today. While the supply-chain security challenge has been around for decades, it is only one factor that contributes to an even larger problem that security teams face today: complexity.
In other words, the greatest security challenge we face today is not the technologies themselves, but the separate strategies and technologies used to secure them.
Complexity is the enemy of security
Hybrid cloud environments have emerged as an important approach for governments, public and private companies – those with critical and regulated data that they need to protect. Indeed, a recent study by Forrester Research found that 85% of technology decision-makers believe that on-premise infrastructure is critical to their hybrid cloud strategies.
However, the ad hoc adoption of cloud technologies has created a “Wild West” of scattered IT resources that need tobe secured, with gaps in visibility and data distribution across multiple tools, cloud, and on-prem infrastructure. This problem has only been exacerbated by the hasty introduction of new cloud tools and resources to adapt to remote work in the midst of the global pandemic.
This separate approach is unfortunately reflected in many security tools designed to secure today’s cloud environments. We have reached the point where large companies often use 50 to 100 different security tools from dozens of different vendors.
The problem here isn’t cloud resources or the security tools themselves, but the fact that the various parts are not connected to a single approach, creating blind spots and complexity in the security field.
A well-executed “hybrid cloud model” combines part of a company’s existing on-premise systems with a mix of public cloud resources and as-a-service resources and treats them as one entity. In turn, security also needs redesigning with a single checkpoint that provides a holistic view of threats and reduces complexity.
Connecting security across clouds
In the hybrid cloud world, security and data privacy becomes a shared responsibility of data owners, users and providers.
Ultimately, many of the security risks introduced in cloud environments result from human error, combined with a lack of centralized visibility to find and fix these problems before they cause harm. Cloud misconfigurations are the main cause of data breaches studied in the Cost of a Data Breach Report by IBM and Ponemon Institute, accounting for nearly one-fifth of the data breaches analyzed.
The fastest-growing innovations to address this gap are called confidential computing. Currently, most cloud providers promise not to access your data; they could, of course, be forced to break that promise through court order or other means. Conversely, it also means that malicious actors could use the same access for their own nefarious purposes. Confidential computing ensures that the cloud technology provider is technically unable to access data, making it equally difficult for cybercriminals to gain access to it.
Understanding how attackers infringe the cloud is also key to developing security protocols. According to an IBM analysis of security incidents in the cloud, the most common way is through cloud-based applications. In fact, 45% of cloud-related security incidents analyzed by IBM X-Force Response Teams last year related to remote use of cloud apps.
With these challenges in mind, you should keep a few guiding principles in mind to help design security for the hybrid cloud age:
- Unify your strategy: Build a comprehensive cloud security strategy that spans your entire organization – from application developers to IT and security teams. Define clear guidelines for both new and existing cloud resources.
- Choose the right architecture: Identify your most sensitive data and make sure that the right privacy policies are in place – even down to the hardware level. Look at technical assurances such as confidential computing and keep your own key so that not even your cloud provider can access your data.
- Adopt an open approach: Make sure your security technologies can work effectively across hybrid cloud environments (including on premise and multiple clouds). Where possible, leverage open technologies and standards which allow for greater interoperability and can reduce complexity.
- Automate security: Implement AI and automation for greater speed and accuracy when responding to threats, rather than relying solely on manual reactions.
Improving cloud security for the new normal is possible, but we need to move away from previous assumptions. A clear presentation of the security challenges and types of threats targeting cloud environments will help us address these new frontiers.