Large organizations are embracing public and private cloud computing at a rapid pace. According to ESG research, one-third of organizations have been using public and private cloud infrastructure for more than three years, and more than half of organizations (57%) have production workloads running on cloud computing infrastructure (note: I am an ESG employee).
Of course, cloud computing is very different than physical or virtual servers, which translates into a different cybersecurity model as well. And these differences lead to a variety of security challenges.
ESG recently surveyed 303 cybersecurity and IT professionals working at enterprise organizations (i.e. more than 1,000 employees) and posed a series of questions about cloud computing and cloud security. When asked to identify their top challenges with cloud security:
- 34% said their organization finds it challenging to provision security controls for new workloads in the cloud. This makes sense as the cybersecurity staff isn’t really prepared to keep up with the DevOps team’s use of things like Chef and Puppet.
- 34% said their organization finds it challenging to assess the overall security status of cloud infrastructure. Either they lack the right level of visibility or they can’t keep up with all of the changes taking place in real-time.
- 34% said their organization finds it challenging to monitor workloads across clouds. This could be related to workloads within hybrid clouds, or it could indicate monitoring challenges with workloads across heterogeneous private or public cloud infrastructure. Either way, the security team is losing visibility of mobile workloads, and that’s a problem in an active heterogeneous cloud environment where things are always changing.
- 33% said their organization finds it challenging to maintain regulatory compliance while using cloud infrastructure. This certainly restricts organizations’ ability to maximize cloud computing business benefits.
- 32% said their organization finds it challenging to monitor cloud-based network traffic patterns to detect anomalous/suspicious behavior. This could be related to monitoring weaknesses and/or skills deficiencies, but either way it makes organizations more vulnerable to cyber-attacks.
OK, I get it—cloud security is relatively immature, so we should certainly expect these kinds of challenges. The problem here, however, is that organizations aren't waiting around for CISOs to address these challenges. Rather many are moving full-speed ahead with cloud computing and increasing IT risk as they do so. So, in essence, enterprises are embracing clouds for business benefit, but these benefits come with the cost of degraded security protection. Given today’s threats, this is an unacceptable trade-off.
What can be done to bridge this gap? I’ll address that in another blog soon.