Two reports issued this week at the RSA Conference 2018 show by the Cloud Security Alliance (CSA) highlighted two critical issues that seem to be hampering cloud security. The first is that lifting and shifting IT security processes that were initially designed for on-premises environments is not a good idea. The second is that ongoing exchange of cyber threat intelligence is now an absolute requirement.
The State of Cloud Security 2018 from the CSA draws attention to fact that cloud security is a shared responsibility of both the cloud service provider and the organization hosting applications on that service. The CSA says safe default configurations and ensuring the proper use of features by enterprises should be a goal for providers. Right now, it’s still too easy for developers to inadvertently leave data exposed on a public cloud.
At the same time, J.R. Santos, executive vice president of research, notes public clouds and internal IT environments are very different. There is a wealth of steps most cloud service providers have implemented to secure their clouds. Lifting and shifting existing security policies by deploy virtual appliances on a cloud to replicate the same firewall capabilities a cloud service provider already provides is a best inefficient. Enterprise IT organizations need to focus their cloud security efforts on the application level, says Santos.
In fact, Santos says from a cybersecurity perspective it’s not advisable to lift and shift legacy applications into a public cloud. IT organizations would be far better off developing a new cloud-native application from the ground up, says Santos.
IT organizations also need to pay extra attention to cybersecurity issues as they move to deploy microservices and containers on the clouds, advises the CSA.
In a separate report, the CSA also call for more collaboration between enterprise IT and cloud service providers when it comes to threat intelligence. A Cloud-CISC Working Group seeks to eliminate existing security “stovepipes” by incubating trusted communities of cloud providers to share cyber incident information anonymously.
Overall, the twin CSA reports make is clear there’s a lot of work left to be done in terms of securing the cloud. Advances in DevSecOps are significantly improving the overall state of cybersecurity, especially in the cloud. But DevSecOps today is still a relatively nascent concept inside most organizations. There will always be a need for cybersecurity professionals to define the policies. But over time much of the execution of those policies should become increasingly automated as developers move to build and then deploy their applications.
In the meantime, some ten years after the rise of public clouds there still not enough awareness of the cybersecurity challenges posed by public clouds. Most cloud service providers are very adept at securing their own infrastructure. They do that as a rule much better than any internal IT organization could hope to replicate in an on-premises environment. But when it comes to the application level each cloud customer is left on its own to figure out the right answer. The trouble is that all too often the people deploying an application in a public cloud don’t even know the right questions to ask in the first place.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.