05 Jun The Multi-Million Dollar Question: Who owns cloud security?
Security is paramount in the enterprise…or is it?
In the last year or so, a number of enterprises have recently put new tech projects, including security, on hold, except for the cloud. The pressure from the business to migrate to the cloud has become so intense, all other projects have been halted.
In some of these shops, the plan is to stop everything else they are doing long enough to set the cloud in motion, and then come back to revisit security. This is the sort of stuff that keeps CISOs awake at night and its an example of what some market watchers mean when they say the CISO must “learn to lead without authority.”
Cloud presents security issues, that as an industry, we still need to work through collectively. In other words, security needs to be baked into the strategic IT plan – it can’t be an afterthought any longer.
The 3 Primary Cloud Options and Associated Security Concerns
Generally, there are three broad options for migrating to the cloud:
- Going all cloud, all the time;
- Sticking to on-premise infrastructure (on-prem); and
- Taking a hybrid approach, which is a blend of the two.
At a basic level, the security problems boil down to these:
1) Security concerns with the all cloud approach
This is the most flexible option and is very attractive to the business. You let someone else worry about the infrastructure, including security, and focus on your business.
Yet security professionals know, it’s not always so simple; the old adage, “trust but verify” comes to mind. As such, security professionals want access to layer 2 and layer 3 in order to ensure the intrusion prevention and detection system (IPDS) measures implemented to match the organizational standards.
There is some research on this notion too. According to an article in CSO Online, a recent study found “62 percent of respondents expressed a desire for their security operations centers (SOCs) to control network traffic and data to ensure adequate protection in a cloud environment. Half of them would settle for awareness of network traffic and data.”
Obviously, the layer limits the response options. For example, you can’t block known threats if the traffic you see is a mirror. Yet the distinction may not matter because most cloud providers are reluctant to disclose their security protocols to outside personnel, even customers.
Consequently, the customer and the security team are dependent on an abstraction of security the vendor presents.
Also see these related posts:
Costs and Incidents: Visualizing the Trends in Cybersecurity [infographic]
IDS is Dead! Long Live IDS! An Analyst Prediction from 2003 Remains Relevant
5 Useful Benchmarks on Threat Hunting for the Security Operations Center
2) Security concerns with on-prem.
On-prem is the traditional challenge in cybersecurity. For that reasons, it’s often the benchmark by which all other options are compared and more importantly, how we understand new strategies. In the on-prem construct, the enterprise gets to choose all of its security controls and maintains 100% of the responsibility for the outcome, for better or worse.
3) Security concerns with hybrid cloud.
Most large enterprises fall into this category, with a mix of cloud and on-prem infrastructure. It’s also the model that’s proving most vulnerable.
The aforementioned CSO article cites a separate study that examined 147 petabytes of data over a year and one-half and found, “Hybrid cloud environments experienced the highest average number of incidents per customer at 977, followed by hosted private cloud (684), on-premises data center (612), and public cloud (405).”
This is precisely why enterprises with critical data want to see first-hand the security measures cloud vendors say they have implemented. Enterprise security needs to know if the actions a vendor is taking, mesh with their actions, and weight whether or not there is added complexity if the two entities are managing duplicate tools, analysts and related costs.
The Million Dollar Question: Who Owns Cloud Security?
Given the cost of a breach is between $3.62 million and $7.35 million, this is literally a multi-million-dollar question. While the security community doesn’t have a collective answer for this today, that does not grant us permission to put off thinking about it until tomorrow.
The march towards the cloud is probably inevitable, given the cost reductions and scalability. For many businesses, it’s the logical decision. However, if the business is pushing the enterprise at a pace that leaves security uncomfortable and scrambling for answers, then we owe it to the business to at least deliver a well-defined problem.
Cloud or otherwise, security remains paramount and will for the foreseeable future.
If you enjoyed this post, you might also like:
4 Considerations for Evaluating an Intrusion Detection System