Darron Gibbard, Chief Technical Security Officer, Qualys, looks back at the cloud security space in 2018 and urges CIOs and CISOs to collaborate and develop new approaches to business.
Over the next few years, spending on cloud will continue to expand at around 20% per year until 2021, according to Goldman Sachs. This will see the total worldwide market grow to US$116 million a year – and with the majority of spend around cloud going to major public cloud providers Amazon Web Services, Microsoft, Google and Alibaba. This is up from current spend levels of around US$47 billion in 2018.
This expected commitment to cloud is huge for the industry – for CIOs that are looking to improve company performance and move faster around market opportunities on one side and CISOs on the other looking to maintain security regardless of whether platforms are internal or external ones. The shift to cloud is not going to stop so what is taking place around making it easier to keep cloud implementations secure?
During 2018, the three major Western public cloud providers – Amazon, Microsoft and Google – all hosted industry conferences where security was a key theme for discussion. At Google Cloud Next in London, the company’s then-CEO Diane Greene reiterated how Google embeds custom silicon into its hardware for security purposes as well as providing location restrictions so workloads cannot be moved or run by unauthorised personnel.
At Ignite, Satya Nadella included discussion of how Microsoft approaches its operational security based on more than 6.5 trillion data points processed every day. He also went into how Microsoft is investing in Artificial Intelligence and automation to deal with the growth in attacks on IT infrastructure.
At AWS Re:Invent, the AWS team announced a range of security developments, from new serverless and container-focused technology like Firecracker through to wider security management steps like implementing central security hubs and integration with third party management providers as well. These announcements – from specific innovations around how developers deploy applications securely through to cloud-wide oversight and control – demonstrate how much emphasis the cloud providers are putting on security.
Building cloud and security strategies together
With so much focus on cloud and security, how can we continue on these approaches and issues in 2019? There are five key tenets to consider: accuracy, visibility, scalability, immediacy and orchestration.
For companies moving more of their infrastructure to cloud, the main driver is to become more agile. Public cloud services and hybrid cloud models can help deliver that flexibility, immediacy and scalability but the areas of visibility and accuracy have to be considered separately. For CISOs, ensuring that these other concerns around cloud deployment are considered is essential.
It is therefore worth defining what accuracy and visibility around cloud should mean in practice. Visibility involves getting a complete overview of all IT infrastructure elements that are implemented in the cloud, regardless of whether those elements have been moved into the cloud from on-premise IT or created from scratch. Accuracy describes keeping that complete list of assets up to date over time over all the different ways that we have to run applications today. This means getting insight into both internal and external platforms and into the myriad different ways that companies have to deploy applications today.
Alongside using cloud instances that can scale up and down, developers can choose to run applications in software containers or on serverless computing platforms like AWS Lambda. Traditional IT management, operations and security tools can’t effectively track these additional platforms, leaving CIOs and CISOs unaware of all the assets that are in play at any one time. Couple this with the immediacy of spinning up and tearing down containers to meet scale requirements and your entire IT estate is changing minute by minute, hour by hour. Any point in time approach to cloud security scanning will be accurate for that particular scan, but out of date even minutes later.
For security teams, this level of continuous visibility has to be planned into any cloud migration and expansion. If it is not there, then it makes it much harder to know that the whole business is secure. The old adage of ‘you can’t secure what you don’t know about’ rings true for cloud, as deployments here can change so rapidly over time.
Similarly, it is harder to prove compliance around data security if there are gaps in your asset lists. Without the ability to look across multiple platforms in one go and orchestrate security policy across all of those platforms simultaneously, CISOs will find it harder to enforce all the right steps in one overall security strategy. Conversely, getting this transparent orchestration of security right across all platforms – from internal IT and endpoints through to hybrid and public cloud instances – should make the job of managing security easier overall, even as the number of platforms being used within enterprises goes up.
In 2018, we saw an expansion of cloud infrastructure deployments and more commitment by CIOs to developing new approaches to business. As these changes take place, CIOs and CISOs have to collaborate to build security into those migrations so those new digital transformation and developments are successful over time. As companies bet big on cloud, security can ensure that these bets pay off.