Why is it that cloud security is easy for companies to talk about but difficult for them to implement at scale?
When discussing information security in a public cloud environment, it is common to use buzzwords such as encryption, access control, MFA, and vulnerabilities. And the most common image of a threat to information security is the depiction of someone in a hoodie stealing credit card numbers.
Let me be clear, these are important technical issues to control without which you cannot survive. However, these security issues are only a small piece of a complete security strategy in today’s cloud-first world.
Incorporating Cloud into your business strategy can be a daunting task, especially when it comes to information security. But it doesn’t have to be.
3 Key Points to Consider
No company wants to end up as the next headline because of a data breach. Security teams are cautious and hesitant to use the Cloud, often limiting the speed of the operations and business teams they work with. It doesn’t have to be that way.
Cloud security isn’t a technical problem; it’s a people problem.
1. Usability vs. Security – Put People First.
This is a battle that has raged since the dawn of computing. A system can be designed to be 100% secure if it’s encased in lead and buried underground. Obviously, this would make it unusable, so we need a better option: the on-prem datacenter.
Though glorious in all its twisted cable wonder, an on-prem datacenter is large, hulking, and expensive to operate. We need something better. Something like the public cloud – mysterious, elusive, and intangible.
If you want to frighten a security team who is at the beginning of their cloud adoption strategy, just remind them that at the end of the day, the Cloud is simply someone else’s computer.
But again, cloud security is not a technical problem, it’s a people problem. Many of our customers that are using the Cloud today are doing it successfully because they have proven that the Cloud is both accessible and secure. They do this by starting with training and education.
If your team has the right opportunity and resources to learn how to integrate security into their daily workflows, there is no need to compromise usability or security.
According to the 2019 Verizon Data Breach report, 45% of breaches in the information sector were due to system misconfiguration. This could be due to a lack of knowledge, inadequate training, or simply from cutting corners in an attempt to get things done quickly. Whether you are a developer, in DevOps, operations, or sales, one must know how to securely use the tools necessary to do your job.
When balancing usability and security, the first step is to understand how your teams work, what their processes are, and how they get things done. Then integrate security into their workflows rather than layering it on top. Start with educating all teams and move forward from there.
"If your team has the right opportunity and resources to learn how to integrate security into their daily workflows, there is no need to compromise usability or security."
2. Cost vs. Return – Visibility is Key.
We all want to move a little faster, be a little more agile, and at the end of the day, get stuff done.
Traditionally, implementing security comes with a high price tag and a very hard to quantify rate of return. The Cloud has greatly simplified these operations.
As a result, several burdens of a mature security model have been removed due to the shared nature of security in the Cloud. Individual companies can free up resources and time.
Similar to the way an insurance company calculates rates based on how often I will get in a car wreck, the return on investment in security is often ambiguous. Considering the probability of an event that may never happen, to a certain degree, we are paying for peace of mind.
Making investments in security for your company should do 1 of 3 things:
- Provide greater visibility into your IT estate
- Increase the efficiency of response actions in the event of an incident
- Meet regulatory and compliance obligations
Microsoft has a great article on their shared security model in Azure that outlines where security teams operating in the Cloud need to focus their attention as they partner with Microsoft.
"Traditionally, implementing security comes with a high price tag and a very hard to quantify rate of return. The Cloud has greatly simplified these operations."
3. Scale vs. Efficiency – How Much Security Do We Really Need?
There are an overwhelming number of activities to keep a security team busy with an unending supply of vulnerabilities released daily.
And with the advent of monitoring tools such as SIEMs, SOARs, automated response, intelligence threat feeds, proactive monitoring, alerting, hunting, and more, security teams are in a constant state of weary-eyed readiness.
Understaffed security teams often experience ‘alert fatigue’. It doesn’t take long to reach the point of diminishing returns while finding creative ways to incorporate new tools and techniques as well as working to stay ahead of the flood of daily threats.
How do we solve this type of problem in the Cloud?
Automate, automate, automate! One solution is to avoid using cloud antipatterns. Let the platform do the heavy lifting for you, as it was designed, so that your security team can focus on differentiators and be proactive.
With tools like Azure Policy, organizations can ensure their environments remain in compliance, thus reducing the time spent on internal audits or configuration reviews. To free up valuable time to do more proactive work, let the platform do the work.
"Focus on what matters – people, visibility, and efficiency."
Operating in the public cloud requires a new skill set and shift in focus for organizations. We don’t have to worry about who has access to the server room or about configuration drift.
Now we have new, more efficient tools to help us monitor our environment so that we can focus on what matters: people, visibility, and efficiency.
When you trust 10th Magnitude, you don’t have to worry. Our team of experts can help you every step of the way.
As a born-in-the-cloud Azure centric partner, we understand how to tap into the power of the Cloud to help your organization become a secure leader in digital innovation.
If you want to transform your teams and create a competitive edge, take the next step and fill out the Azure Health Check form to get started.