Don’t look now. According to Venafi’s research, more than 80% of organizations have experienced a security incident on a cloud platform in the last 12 months. Most concerning, nearly half of those organizations reported at least four incidents during the same period.
The study also showed that organizations faced security incidents due to unauthorized access and misconfiguration. We’re back to old news: With cloud security, most security problems are caused by people.
A more important trend is that a large portion of what enterprise IT security does has moved from on-premises systems to cloud-based platforms. This is to be expected if you consider the shift in processing and data storage from traditional systems to the public cloud over the past few years.
You have better security technology at public cloud providers. When used properly, the security protections that cloud platforms offer should be more effective than traditional on-premises security. As with other technologies, if the technology is in the hands of people who do not understand how to use it effectively, it backfires with authorization errors and misconfigurations.
Solving people’s problems is difficult, as the demand for good cloud security pros exceeds the supply by a wide margin. Enterprises are stuck with the choice of moving forward without the necessary expertise for digital transformation or stopping/slowing migration to the cloud until a critical mass of cloud security expertise is acquired or developed.
The way cloud security and security in general is done is also morphing. As the report notes, the responsibility for driving cloud security has shifted, with 25% of enterprise security teams adding cloud security to their responsibilities. Another 23% of organizations outsource cloud security to cloud infrastructure operations teams. Other possibilities include collaborative teams or devsecops teams.
Companies are moving from centralized to decentralized, with many different teams taking on bits and pieces of cloud security rather than one overarching entity. I suspect that those managing both traditional enterprise security and cloud security are doing so with similar budgets and human resources.
What lessons can be learned?
- Getting cloud security right means going slow before you go fast. Taking the time to acquire skills and more effective operational models will reduce some of the risks we see in organizations that are moving too fast.
- This is not a technology problem, so don’t count on good security technology to save you. The biggest mistake is throwing tools and money at problems that cannot be solved.
- Skills, skills and more skills. You need an effective skills gap analysis of your “as is” state and a plan for what your “to be” state should be. Many industries have no idea of either of these and therefore no road map for improvement. This will cause more security incidents than if you forgot to lock the data center door.
All is not lost; All we need is a tune-up. Come together on what this means for your enterprise and decide what changes need to be made now. This is one of the things that should have been addressed last week.
Copyright © 2022 IDG Communications, Inc.