Rapid cloud migration forcing organizations to rethink data security
As cloud adoption and migration continue to accelerate so do the risks of operating in the cloud.
Last year, we saw security event after event keep security and compliance professionals on their toes - from the Equifax breach, the Alteryx S3 misconfiguration to WannaCry, and countless other scams and phishing exploits.
With Meltdown and Spectre already causing major disruptions, SecOps will continue to work overtime this year. However, there are lessons learned from 2017 that we can leverage to make working in the cloud safer. Here are some of my thoughts.
Continuous monitoring and continuous learning will be essential.
The near future is clear: The typical organization will soon have thousands of workloads strewn across multiple cloud service providers distributed around the globe. This brings about a new set of security and compliance requirements.
First-gen cloud infrastructure security tools were rule-based configuration checkers that helped with basic blocking and tackling. Looking forward, enterprises will quickly adopt a new generation of tools and services that will continuously ingest volumes of security and configuration data from a variety of sources, putting alerts into context, and making the context actionable.
“First-gen” cloud compliance scanning tools will be retired.
We saw a string of publicly disclosed cloud security incidents in 2017, where organizations were relying on policy-based compliance and configuration scanning tools as key components of their cloud security strategy. Unfortunately, these tools can only tell you what can potentially go wrong.
Without any context or impact analysis, it’s impossible to identify what is going wrong, and what needs to be immediately fixed.This year we will see the end of traditional compliance scanning tools, as they will be replaced by AI-driven approaches that are constantly learning about the environment and pinpointing anomalies.
No IT or DevSecOps team, irrespective of their knowledge or size, is able to scale to keep up with the avalanche of data and required analysis needed to make timely public cloud environment decisions.
DevSecOps won’t mean the death of security organizations.
There’s speculation that 2018 will mark the end of security as we have known it, because with DevSecOps, developers will manage security and there will be no further need for security teams. That’s simply not true.
DevSecOps will make security a shared responsibility between developers and security teams. Security by design will be key, but so will the trust but verify model. Even if you have the most secure coding pipeline with checks at the Cloud Formation and Terraform templates level, you will still need a to look for anomalous activities in your environment, which could be introduced through zero-day attacks or developer oversight.
There is little doubt that this year will present us with new cloud computing opportunities and risks. But the benefits far outweigh the challenges. The key is DevOps and DevSecOps need to lean forward and think differently about how they adopt, scale and protect workloads in the clouds.
New tools and products are being purpose-built for the cloud every day. The result will be that, as an industry and community, we can make the cloud a safer place to do business.