People are right to be concerned about cloud security risks. The agility, flexibility, scalability and affordability of cloud, while addressing many IT infrastructure challenges, also introduces a host of security risks and potential vulnerabilities. And, as it turns out, cyberattacks on cloud services have soared during the pandemic. An analysis of data from more than 30 million McAfee cloud customers revealed cyberattacks on cloud services increased by a whopping 630% in the first three months of the pandemic alone.
More often than not, cyberattacks succeed because multi-cloud environments don’t have adequate security policies in place. Why do they lack the proper policies to prevent cyberattacks? Because a multi-cloud strategy adds layers of complexity to IT infrastructure management. Policy enforcement can easily get lost in that complexity.
IT departments handle security, but they also have a lot of other things on their plate. They have to manage multiple cloud resources – both public and private – as well as on-premises solutions. They have to develop provisioning processes for resource deployment and enact them across the enterprise. And don’t forget, they have to do all of this with limited resources and within strict budgets. That’s a lot to handle on top of ensuring broad, company-wide compliance with security requirements.
Many organizations believe that the solution is to further centralize the management of cloud resources. Unfortunately, with hybrid environments continuing to grow in complexity, further centralization won’t help the problem. It could even make it worse.
The Need for Self-Service IT
When people think of decentralization, they often imagine chaos and loss of control. Control is important, of course. IT has a mandate to manage costs and ensure adherence to security and governance policies. You can’t just let anyone provision cloud resources whenever and however they want, for example. Naturally, IT departments often seek to fulfill their mandate by centralizing the process, insisting that all provisioning requests go through them.
Unfortunately, centralization can actually make the problem worse by inadvertently spawning shadow IT. With all of their responsibilities, IT admins can’t always respond to provisioning requests in a timely manner. At the same time, development or engineering can easily go around IT and provision their own cloud resources without waiting. Since these departments can easily spin up test servers on AWS with just a credit card and the click of the mouse, they will. So, you end up with an unknown number of unauthorized, ad hoc services running in the background, consuming expensive resources and creating unmonitored security risks.
Some enterprises avoid this by implementing a decentralized, self-service IT model. In this scenario, IT creates a catalog of resources (storage, compute, etc.) and services (ServiceNow, Ansible, Terraform, etc.) and makes them available to their internal customers through a single portal. In the best case scenario, this model uses intelligent automation to maintain control over user roles and permissions, configurations, quotas and usage rates. This means DevOps can get the resources they need without having to wait on IT, and IT can maintain control over cloud usage.
Problem solved, right? Not exactly. You may have eliminated shadow IT and solved a lot of security issues, but the next step is to decentralize security awareness.
Decentralizing Cloud Security Awareness
With self-service IT, you may have effective guardrails in place to rein in costs and enforce security policies, but you could still have 20 different engineering teams consuming cloud resources in an environment that’s rapidly changing. Misconfigurations and vulnerabilities can still be created by provisioning resources in ways that IT hasn’t accounted for. Furthermore, what is available through self-service might meet a developer’s needs one day, but not the next. They may wish to use new tools or solutions that the organization hasn’t provided yet. The temptation to go outside the system is still there. And that means security risks to the organization still exist.
The best way to solve this problem is to decentralize security awareness using an alert and visualization system so people can see the impact of the decisions they make, when they make them. For example, when developers write code, they can automatically be notified of any inadvertent security issues in the code so they can fix them. Or, when engineers provision cloud resources, they can receive warnings if they have unwittingly created a security risk by doing so, and the system can recommend a safer option. In this way, visualization tools and automation can secure your cloud infrastructure, both up- and downstream.
Dynamic cloud visualization tools give you end-to-end visibility of your cloud resources and configurations. As services are deployed and configured, intuitive diagrams can show multiple teams, in real-time, what is happening in their application stacks. This helps enterprises define, continuously monitor and audit policies.
Robust workflow automation can also deliver fast, actionable insights to the people who need them, allowing them to remedy security issues as they are created.
Furthermore, automating the processes that allocate your cloud resource deployments and configurations will allow you to visualize cloud services compliance against industry standards such as CIS, PCI-DSS and the AWS Well-Architected Framework.
CMPs Must Foster a Culture of Security Awareness
Security awareness must be embedded in decision-making processes across the organization. Security issues must be detected and addressed when and where they occur. Cloud management tools must therefore evolve to help enterprises manage cloud deployments intuitively, confident that any misconfiguration will be automatically highlighted/remediated. For this reason, going forward, cloud management platforms (CMPs) will be evaluated not simply in terms of their inherent capabilities, but also in terms of the cultural changes – such as increasing security awareness – they can drive and support.
CMPs can do this by promoting constructive decentralization wherever possible.