Contributed by guest blog author Philip Bues, IDC Research Manager, Cloud Security
We’ve all seen the headlines: “Expanding Requirements and the March to Cloud Fuel the Market,” “Traditional Threat Vectors Surge During Crisis,” “What Lies Beneath the Attack Surface,” “New Zero Day Exploit Discovered.” Sounds a bit like the movies, but it’s the current pandemic-laced view of cloud security reality we live in now. Fortunately, at least part of it—how we choose to react to it—is up to us. Despite the headlines, the cloud should not be a jump scare for any organization. Worldwide surveys and research show that misconfigurations, advanced malware (including ransomware as a service), compromised credentials, and unpatched vulnerabilities are among the leading causes of breaches. Cybermiscreants, nation states, and human error are the enablers. This being the case, how do organizations reduce complexity and operationalize the protection of applications and data in the cloud without bringing on more hard-to-find security experts?
Not All Clouds Are Created Equal
One natural progression would be to consider using a public cloud for IaaS rather than private datacenters to support critical applications. Public cloud vendors can enhance an organization’s ability to offer a resilient and secure environment by providing additional protections. These include supplying cloud security posture management (CSPM) tools and absorbing responsibility for preventing and securing exposures from the physical up to and sometimes including the operating system. In their current advanced state, some second-generation clouds provide security guidance and blueprints during migration and deployment. However, although choosing to work with a public cloud vendor brings with it a perspective on the big picture, a road map, and a delineation of responsibilities, not all clouds are created equal, and some processes may still be a huge lift for an already overwhelmed IT staff.
Choice is freedom, no doubt, but at what price? IDC’s 2020 Cloud Security Survey shows that organizations realize that IT staff face an uphill battle in dealing with both the continued pandemic and the fast-moving “work from anywhere” economy. The results suggest that insufficient staffing and security capabilities, along with existing hard-to-use security tools, prevented organizations from investigating all suspicious alerts.
As a result, IDC’s guidance for most organizations—including those in the government, healthcare, and finance sectors—would be continued movement of some or all activities to cloud or hybrid cloud. These organizations may want to consider working with a next-generation cloud service provider or vendor in making this move.
Prescriptive Security
Recently, a number of second-generation clouds including Oracle Cloud Infrastructure (OCI) have announced new offerings that address the aforementioned challenges and provide customers with new services. They seek to deliver simple, prescriptive, and integrated security across IaaS, PaaS, and SaaS. Potential customers will hear terms such as “baked in,” “prescriptive security,” and “best practices” bandied about. It’s all part of second-generation cloud service providers’ principles of easy to use and transparent security.
Prescriptive security is akin to guardrails utilized by second-generation cloud service providers to help secure assets and reduce risk for their customers. First-generation clouds with commodity hardware may be operating without guardrails, and customers’ data can potentially be at risk due to open hypervisor configuration exposures, which can expand the attack surface. Second-generation clouds, homegrown from the bare metal instance up, come with processes in place to reduce human error and shift the burden of cloud security responsibility back to the cloud service provider. Some of this is done by removing the complexity of the optional, subscription-based security services that customers would otherwise have to learn and configure. Instead, these services are part of an always-on, default capability.
As mentioned in previous IDC guest blog posts, recipes and preventative control features are big pieces of this strategy. Using this prescriptive security makes policy enforcement and remediation easier to detect and respond. For example:
- Cloud security policy management recipes can detect common cloud security issues, automate remediation processes, and resolve or dismiss challenges such as misconfigured resources and/or insecure activity in a customer’s tenancy. Detectors continuously monitor activity and configurations, eliminating the “what choice do I have” dilemma. The choice is already made for the organization. However, it is possible to modify certain recipes.
- Preventative control features can protect against human error. Items such as security zones are compartments governed by resource-based policy sets that prevent common breach pitfalls such as the creation of public buckets in object storage. They work with different infrastructure types including networking, storage, compute, and database. Unless all security policies are met, a request will be denied and common defeats like privilege escalation won’t work.
In most organizations, adding well-orchestrated layers of automated protection that sit on top of the security baseline is always welcomed by IT. IDC believes cloud providers that offer automated remediation vulnerability scanning services provide a much-needed safety net and save DevOps teams’ valuable time.
Evolving customer demands continue to fuel cloud platform security innovation, and one notable trend is in the direction of security vendor consolidation and simplicity, further unrealized byproducts of prescriptive security. For example, certificates have traditionally been a hard-to-manage area and one that is manually intensive. There are now over 100 worldwide certificate authorities. To remain in compliance and good standing, organizations need to assign dedicated personnel. Downtime or outages due to certificate expiration are detrimental not only to the customer’s bottom line but also to its reputation. With second-generation cloud providers, these services are automated and able to create, deploy, monitor, and renew certificates to reduce wasted time, avoid misconfigurations, and keep certificates from expiring.
Free Services and Free Tier Trial Accelerate Services Adoption
Let’s take a moment to think about what’s more important to an organization: security or cost? Such a choice represents a double-edged sword, and it is not a decision to be made without all the relevant information. Paid or free, full visibility into all the security features is necessary for those just embarking on their cloud journeys to make the right choice. Typically, customers can sign up for a 30 day trial.
Looking Ahead
The pandemic has wrought many changes, some of which are here to stay. Organizations have accelerated the rollout of their digital transformation road maps, and they are pioneering a new frontier in the work-from-anywhere cloud-enabled economy seeking to solve for all the associated challenges this change has brought.
Complexity is, and always will be, the true enemy of security. In many ways the security baseline you establish now and the prescriptive, automated capabilities you add into your cloud security , such as posture management, can protect your environment from future threats while creating a streamlined and efficient workflow safeguarding your most valuable asset: people. Second-generation cloud providers offer organizations a simpler and clearly differentiated choice for cloud security.
Message from the Sponsor
To learn more about the benefits of working with a second-generation cloud provider, read the IDC Lab Validation Brief, “Putting Tenant Data Safety and Privacy First with Automated Operations,” sponsored by Oracle.