A majority of enterprise organizations are embracing cloud computing in one form or another. According to ESG research, 67% of enterprises use public or private cloud infrastructure today, while 66% use one or several SaaS applications (note: I am an ESG employee).
So what about network security? It’s a bit of a struggle today as many organizations move to cloud computing long before they have the right infosec skills, processes, or tools in place. As proof of this deficit, ESG asked 145 cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) whether they agreed or disagreed with a number of statements about cloud computing security. Here are the results:
- 60% of cybersecurity professionals strongly agree or agree with the statement: My organization’s current network security operations and processes lacks the right level of orchestration and automation needed for cloud computing. In other words, the security team can’t keep up with cloud self-service and DevOps.
- 60% of cybersecurity professionals strongly agree or agree with the statement: My organization is still learning how to apply its security policies to cloud security infrastructure.
- 60% of cybersecurity professionals strongly agree or agree with the statement: It is difficult to get the same level of security visibility into cloud-based workloads as we have in our physical network. You can’t manage (or secure) what you can’t measure.
- 50% of cybersecurity professionals strongly agree or agree with the statement: It is difficult to audit network security controls associated with cloud computing infrastructure. Similar point.
- 47% of cybersecurity professionals strongly agree or agree with the statement: The security team does not have the appropriate staff level to manage network security operations for cloud computing.
- 46% of cybersecurity professionals strongly agree or agree with the statement: The security organization does not have the right level of cloud computing skills to provide the same types of network security controls and oversight as it does on the physical network. The cybersecurity skills shortage seems to be a big factor with cloud computing.
Large organizations tend to struggle with cloud computing security initially for a period of 6 to 12 months. Many address these problems with an initial focus on situational awareness, collecting, processing, and analyzing as much data as they possibly can using tools from vendors like Evident.io, IBM, Illumio, Splunk, and Trend Micro. The goal? Understand what’s happening with cloud-based workload and then apply appropriate security controls.
ESG sees a big leap of faith between traditional network security and cloud security. Security professionals tend to be “network huggers,” but Layer 3 and 4 packet filtering and security controls aren’t as applicable when workloads are hosted across heterogeneous cloud platforms. Old-school cybersecurity professionals must move beyond their traditional packet processing mindset in order to really grasp cloud security.
Note that my colleague Doug “cloud security sage” Cahill and I are currently engaged in several cloud security research projects, so stay tuned for more blogs on this topic soon.