Don’t look now. More than 80% of organizations have experienced a security incident on a cloud platform during the past 12 months according to research from Venafi. Most concerning, almost half of those organizations reported at least four incidents during the same period.
The study also shows that organizations encountered security incidents due to unauthorized access and misconfigurations. We’re back to old news: People are the most likely cause of most security issues, including cloud security.
A more important trend is that the bulk of what enterprise IT security does has shifted from on-premises systems to cloud-based platforms. This is to be expected if you’re considering the shift in processing and data storage from traditional systems to the public clouds which occurred in the past few years.
You have much better security technology on public cloud providers. If correctly used, the security protections the cloud platforms offer should be more effective than traditional on-premises security. Much like other technology, if it’s in the hands of people who don’t understand how to use this technology effectively, it backfires, with authorization mistakes and misconfigurations.
People problems are difficult to fix, considering that demand for good cloud security pros is outpacing supply by a large margin. Enterprises are stuck with the choice of continuing forward without the needed skills for digital transformations or stopping/slowing the migration to the cloud until the critical mass of cloud security expertise can be obtained or developed within.
The way cloud security and security in general is carried out is morphing as well. As the report points out, responsibility for driving cloud security has shifted, with 25% of enterprise security teams adding cloud security to their responsibilities. Another 23% of organizations give cloud security to cloud infrastructure operations teams. Other possibilities include collaborative teams or devsecops teams.
Companies are moving from centralized to decentralized, with many different teams taking on bits and pieces of cloud security rather than one holistic entity. I suspect those managing both traditional enterprise security and cloud security are doing so with the same budgets and human resources.
What lessons can be learned?
- Getting cloud security right may mean going slower before you can go faster. Taking time to catch up with skills and more effective operational models will reduce some of the risks that we’re seeing within organizations that are moving too fast.
- It’s not a technology problem, so don’t believe that better security technology will save you. The largest mistake is tossing tools and money at problems that cannot be fixed by either.
- Skills, skills, and more skills. You need an effective skills gap analysis of your “as is” state and a plan for what your “to be” state should look like. Most enterprises have no idea about either and thus have no road map for improvement. This will lead to more security incidents than if you forgot to lock the data center door.
All is not lost; we just need a tune-up. Come together on what this means for your enterprise and decide which changes need to be made now. This is one of those things that should have been addressed last week.