As businesses increasingly migrate to the cloud, chief information security officers (CISOs) face critical challenges in ensuring robust cloud security. False assumptions and applying old patterns to new technologies are among the key pitfalls CISOs must address, Gartner VP Analyst Richard Bartley noted at this week’s Gartner Security & Risk Management Summit.
Gartner forecasts spending on cloud security to surge by 24%, positioning it as the highest growth segment within the global security and risk management market. The analyst firm also predicts that by 2027, over 70% of enterprises will use industry cloud platforms to accelerate their business initiatives, compared to less than 15% in 2023.
This shift to cloud computing requires a rethinking of security practices. Bartley noted organizations are trying to bring the cloud into “being the new normal” and make it “business as usual.”
He outlines five typical risks prevalent in traditional IT environments that are also in the cloud: lack of governance, misconfiguration, insecure supply chains and pipelines, data loss or exfiltration, and failures in secrets and key management.
In addition to these common risks, Bartley identifies five unique risks inherent to the cloud:
- Lack of visibility across a sea of change.
- Uncontrolled attack surfaces.
- Identity proliferation and excessive entitlements.
- Shared responsibility.
- Misunderstandings everywhere.
- Compliance, regulation, and sovereignty issues.
“The real takeaway here is that we’re aiming for the same outcomes. We’re trying to build business as usual, looking at the same security outcomes, we want things to be not hacked. However, the approach that we’re gonna end up taking is probably going to be different because we have all these nuances around the risks,” he told SDxCentral.
The misconceptions of shared responsibility
Many CISOs and security and cloud teams are making assumptions around the shared responsibility model. It delineates the security obligations of the cloud provider and the customer, used by major public cloud providers like Amazon Web Services (AWS) and Microsoft Azure.
“That’s a combination of assumptions around technology and assumptions around what the cloud providers are providing,” Bartley said.
The challenges lie in compliance, sensitive data visibility, business continuity and confusing service-level agreements (SLAs). “They tend to be around things like orchestration and around who’s responsible for like runtime workloads versus non-runtime workloads,” he added.
Google Cloud is charting a different course from its competitors with what it calls a shared fate model, which fosters a deeper security partnership between the cloud provider and its customers, CISO Phil Venables told SDxCentral in an earlier interview.
“I think what Google did is a very positive move actually, because it does kind of put some of the action or the activity that you’ve got to do back onto Google to make sure that what’s happening and the way that it’s being operated is secure,” Bartley said. “It could be beneficial because it would spell out, especially in these gray areas around is some of the platform services who should be doing what.”
Key cloud security pitfalls and recommendations for CISOs
What CISOs get wrong with cloud security? Bartley summarized several key pitfalls that plague CISOs:
- Assuming the business line has covered security needs.
- Assume that the cloud is simple and their team can pick it up fast.
- Lack of input into cloud center of excellence (CCoE) or transformation initiatives.
- Failure to collaborate with CIOs to build security into platform engineering/DevOps.
- Bottleneck development pipelines with old security processes.
- Apply old patterns to new technology.
To address these issues, Bartley recommends several strategies, including the following:
“Using automated tooling, that’s a good way to start to get into inside that DevOps cycle that allows you to actively manage cloud by being inside those developments and pipelines, and on the runtime side, allows you to use automated tooling to highlight things and maybe even suggest also correction,” Bartley said.
Image: Gartner VP Analyst Richard Bartley. Credit: Gartner.
This post was originally published on the 3rd party site mentioned in the title of this this site