One of the main challenges in securing the public cloud is that the responsibility for securing the cloud infrastructure is shared between the cloud provider and the user. This can lead to confusion about who is responsible for securing various parts of the system, making it challenging to ensure that the entire cloud environment is adequately protected.
However, the path to securely migrating to the cloud goes beyond the technical components and extends well into the organizational structure, culture, and shifting roles and responsibilities.
That is why the perception of cloud security matters.
If you are anticipating like-for-like, apples-to-apples security controls to be applied to your workloads in the public cloud, well... you are likely to fail.
Watch my interview with Christer Swartz, Illumio's Technical Marketing Engineer, about the challenges facing organizations who are trying to secure the cloud:
The cloud requires a new mindset to reduce security risk
In my last article, I discussed why traditional approaches to security don't work in the cloud.
Succeeding at securing your cloud environment requires strategic planning, technical training, and new controls for automation and orchestration in a dynamic, cloud-native environment.
A key finding from Gartner's recent publication, Solution Path for Security in the Public Cloud, stated that "misconfiguration of cloud resources is the leading cause of data loss in the cloud environment. Incorrect assumption about who has responsibility for security enforcement are leading to holes in cloud security."
Learn how Zero Trust Segmentation can mitigate cloud security risk here.
Cloud security: 4 mindset shifts your security team must make
To learn more about the challenges associated with cloud security, I interviewed Christer Swartz. You can watch the full interview above.
He provided these four key points that organizations must consider when securing the cloud.
1. Don't rely on the vendor to secure the cloud
"Lift and shift" doesn't mean organizations should take their current security processes on-premises and extend them to the cloud. Once you migrate to the cloud, the impression that security is the responsibility of the vendor can quickly cause gaps - and potentially breaches.
Organizations are used to having control over the entire stack in our own data centers, but in the public cloud, the demarcation points of responsibility shift to where the customer must secure the workload, while the vendor secures the underlying fabric.
2. Plan for a multi-cloud environment
Not all clouds are created equal!
Every cloud provider has their own tools, and translating each policy from one fabric to the next is cumbersome, complicated, and usually leaves cloud blind spots. An agnostic approach that abstracts security controls over the underlying fabric can help create consistent security enforcement without the headache of dealing with multiple tools.
In a recent report from Gartner, A Guide to Cloud Security Concepts, they recommend a "single pane of glass" for monitoring, policy creation, and threat mitigation across multiple cloud applications
3. Shift-left to secure CI/CD pipeline
Security needs to be instantiated during the entire lifecycle of the application.
If organizations wait until production to monitor their environments, malware could already be spreading. Malware can be inserted at any point in the lifecycle, so a proactive approach helps keep risk mitigated and locked down much more quickly.
4. Educate your team on cloud security
The cultural shift is NOT a component of securing the cloud to overlook! In fact, it's probably the most important to successfully implement and execute new processes and security operations. I mean, let's face it - developer culture and security culture don't exactly match up.
It's no wonder why Gartner has recommended educating your teams about cloud security as the number one step, since it leads to the primary point of risk for organizations - misconfigurations in the cloud.
Find out the 5 things you might not know about cloud security.
Plan for cloud risk by building a cloud security strategy
How do you implement these mindset shifts in your organization? Build a security strategy specific to the cloud.
Rapid cloud migration is underway at full speed, but the security processes and tools are still catching up to the shift. For that reason, organizations should plan for cloud risk management with a cloud security strategy in place.
As Gartner explains: "A cloud strategy is a set of choices and decisions that describe the high-level actions that will allow the organization to adopt cloud computing and achieve its goals."
Importantly, organizations must expect managing cloud security risk to be a continual process as the security tools and processes evolve over the next 5-10 years into full maturity.
Standardizing and formalizing your cloud security strategy is the fastest way to scaling consumption of cloud services while mitigating risk and exposure.
Expect continued cloud adoption - and security risks
As we continue to see the cloud adoption curve spike to high migration, it's clear the market, industry, and technology are all adjusting with the transition.
In short, make sure that you:
- Create a cloud strategy that includes people, processes, and technology
- Identify and document the objectives, risks, organizational impact, and any key adoption principles (i.e., cloud-first migration strategy and workload placement)
Ready to learn how Illumio can help reduce cloud security risk? Contact us today for a demo and consultation.
Follow us on LinkedIn and YouTube to watch the latest video on this series and become a part of the discussion with your comments and feedback!