Restoring the balance between agility and security in the cloud
September 2019 by Colby Dyess, Director of Cloud Marketing at Tufin
In order to be more responsive to shifting consumer needs, the modern enterprise is built with agility at its core. However, traditional security tools and processes were designed for a less-dynamic landscape, leading organisations to trade security for agility. In this era of increasingly aggressive cyberthreats and ever more costly regulatory fines, this is a grave mistake. To protect the enterprise in 2019, IT leaders need to restore the balance between agility and security.
However, it is arguably more difficult to do this than ever before. This is due in part to a tectonic shift towards enterprises moving to the cloud. More than three-quarters (77%) of organisations now have at least one application or a portion of their computing infrastructure in the cloud, and a massive 83% of enterprise workloads are predicted to be in the cloud by 2020. While legacy applications have not gone away, the resulting hybrid and multi-cloud environments are an inherent part of the new computing reality. However, these complex, fragmented environments are difficult to manage.
Circumventing the roadblocks
According to RightScale’s 2018 State of the Cloud Report, four-in-five enterprises now have a multi-cloud strategy. If you are one of them, it is almost certain that you have experienced one if not all the following five major roadblocks to moving to the cloud securely:
In the cloud, business units have the freedom to create instances and operate applications whose resources naturally come and go. This organic cloud adoption is a subset of shadow IT and can make it challenging to obtain and maintain visibility. Traditional security practices are often circumvented or engaged too late in the deployment cycle. Additionally, legacy practices tend to require manual intervention, or, even worse, lack support for cloud and cloud-native security controls altogether. This makes it very difficult to measure risk.
The cloud adds an additional layer of complexity to meeting compliance. Existing tools and practices can make it difficult to exert control over the cloud without slowing everything down. For example, GDPR requires that businesses “implement appropriate technical and organisational measures… in an effective way… in order to meet the requirements of this regulation and protect the rights of data subjects”. Whilst there are a number of best practices for enforcing compliance in traditional environments, implementing similar protections in the cloud requires significantly different tactics. You must, therefore, understand how the cloud works to properly implement the specific cloud-native controls.
Nearly two-thirds (62%) of cybersecurity and IT professionals name misconfiguration of cloud platforms as the single biggest threat to cloud security. Security teams generally equate automation with a loss of control. In reality though, automation enables proactive detection and correction of security issues before they get into production. Further, automation of security policy changes provides the pathway for consistent application of security rules and measured compliance. Done properly, automation can free up security professionals from mundane tasks, so they can focus on higher value challenges.
DevOps teams often want to move as fast as possible, while security teams are focused on ensuring that nothing goes out that has not been reviewed thoroughly. Individually, each team strives to address their responsibilities and meet goals that provide business value. However, their well-worn processes tend to keep each operating in near isolation rather than collaborating, early and often, to insecure code being released.
• Hybrid IT
Even enterprises who are ready to embrace a cloud-first approach often find themselves saddled with on-premises applications and resources that can linger for years. A hybrid IT environment adds complexity, due to ever increasing set of security control and lack of industry standards. While existing security tools and practices in the enterprise may be sufficient for legacy IT infrastructure and applications, they do not apply for cloud-native, agile projects. Securing the modern enterprise requires the ability to manage security policy across traditional and cloud-native environments.
The path forward
At a high level, the path forward needs to be one where security is fully integrated into the overall IT landscape, no matter if you are deploying your applications on-premises, in the cloud, or a hybrid combination of the two. Security mustn’t be an afterthought or an add-on. By embedding automated security compliance checks into every CI/CD pipeline, organisations can discover and remediate potential security risks before an application moves into production.
Digital transformation is driving cloud adoption and new development practices. You need not fear the transition to the cloud. By adopting cloud-native and DevOps practices and placing a focus on security policy, IT security can help the enterprise restore the balance between agility and security. If your organisation has cloud-native applications as well as on-premises resources, the way to tighten security posture across hybrid IT is to enforce a central security policy.