Cloud security: A mismatch for existing security processes and technology

Enterprises use, but often abandon, traditional security controls to protect cloud-based apps and workloads

To use a long-forgotten metaphor, cloud deployment is moving forward at internet speed at many enterprise organizations. According to ESG research, 57 percent of enterprise organizations use public and private cloud infrastructure to support product applications/workloads today, and an overwhelming majority of organizations will move an increasing number of applications/workloads to cloud infrastructure over the next 24 months (note: I am an ESG employee).

Now, no one would argue the fact that cloud computing represents a different compute model, but it is really based upon the use of server virtualization for the most part. And since a VM is meant to emulate a physical server, many organizations approach cloud security by pointing traditional security processes and technologies at cloud-based workloads.

This behavior is illustrated in a recent ESG research survey where cybersecurity and IT professionals were asked if their organizations used existing security technologies and processes for security workloads residing in cloud infrastructure (i.e. public and private). A vast majority (92 percent) said they did so “extensively or somewhat.”

Certainly cybersecurity professionals want to leverage existing security investments and lean on well-established best practices as much as possible. So, what’s the problem? Unfortunately, existing security technologies and processes don’t always work when pointed at cloud-based workloads. In fact, 32 percent of enterprise cybersecurity and IT professionals admit they’ve had to abandon many traditional security policies or technologies because they couldn’t be used effectively for cloud security, while another 42 percent have abandoned some traditional security policies or technologies because they couldn’t be used effectively for cloud security.

ESG also asked survey respondents to identify the least-effective traditional security tools for addressing cloud security requirements. The replies were as follows:

  • 46% of respondents claim that data security technologies (i.e., encryption, DLP, etc.) are the least-effective traditional security tools for addressing cloud security requirements. This is a really big deal when sensitive data moves to the cloud.
  • 46% of respondents claim that host-based security technologies (i.e., AV, file integrity monitoring, HIDS/HIPS, etc.) are the least-effective traditional security tools for addressing cloud security requirements. Yup, host-based tools assume they have captive permanent resources to use, which is antithetical to the cloud. 
  • 44% of respondents claim that network security technologies (i.e., firewalls, IDS/IPS, gateways, etc.) are the least-effective traditional security tools for addressing cloud security requirements. This is especially troublesome because network security really dominates overall IT security at most enterprises. 
  • 42% of respondents claim that web application firewalls (WAFs) are the least-effective traditional security tools for addressing cloud security requirements.  Another technical incongruity; no wonder why Amazon now offers WAF as a service.

Of course, no organization wants to throw the cybersecurity baby out with the cloud bath water, but force-fitting security tools designed to protect physical assets won’t work either. Yes, CISOs should use tried-and-true best practices whenever possible, but the ESG data indicates that they’ll need to embrace cloud-native security technologies and processes to do so. 

This won’t be easy, but there is really no alternative. As the ESG data clearly indicates, securing new cloud infrastructure with old processes and controls is simply a recipe for failure. 

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.