The primary cybersecurity issue most organizations have with moving workloads has very little to do with the platforms or technologies being employed to secure them. The bigger issue most organizations face today is they still don’t have a set of well-defined set of best practices in place to secure those platforms.
A survey of 700 cybersecurity and IT professionals published this week by the Cloud Security Alliance (CSA), an industry association committed to promote best cloud security practices, ranks the top five cloud security challenges to be proactively detecting misconfigurations and security risks, followed closely followed by lack of visibility, audit an compliance mandates, management of hybrid cloud environments, and management of multiple cloud environments.
Not surprisingly, that same survey also identifies the top cloud security concerns to be risks of data losses and leakage (62%), followed by regulatory compliance (57%), and integration with the rest of the IT environment (49%).
Absent from those lists of challenges and concerns is anything to do with the cloud platforms themselves. In fact, a public cloud computing platform at the infrastructure level is a lot more secure than the average on-premises IT environment. Where things break down is the processes being employed to secure the applications being built and deployed on those clouds. These days it’s not uncommon for developers to spin up any number of virtual machines to run a wide variety of application workloads, only for someone to later discover critical data has been left wide open for anyone to view simply because the cloud service wasn’t configured properly.
It’s always exciting when organizations can build and deploy applications faster. However, when all that excitement is followed by an almost inevitable period of fear and loathing because data residing on a public cloud has been lost or exposed, it’s understandable why so many cybersecurity and IT professionals are still wary of public clouds.
Naturally, organizations should be holding developers more accountable for those breaches. At the same time, however, if a developer wasn’t properly trained to secure that cloud environment in the first place perhaps the blame for a breach should lie with those in the organization that let that developer “play in traffic” in the first place.Companies should train and test developers on securing the cloud platform they are using for development.Click To Tweet
Rather than simply letting developers willy-nilly deploy applications workloads in the cloud, organizations should require developers to pass a series of tests that conclusively demonstrate their understanding of how to securely deploy a workload on a public cloud. Of course, that also means organizations should also train developers on what the best practices for achieving that goal are.
Cloud service providers like to tout the importance of shared cybersecurity responsibilities, which is their way of saying we only secure the infrastructure. As far as the application is concerned, every customer is mostly on their own. In fact, the best advice cloud service providers have basically can be reduced to a reminder to encrypt data so that when an inevitable breach does occur no one will be able to use that data. Organizations that don’t develop their own set of DevSecOps processes are simply standing around waiting for something bad to happen.
The truth is it’s hard to say who should be held more accountable more a cybersecurity breach. The IT leaders that allowed developers to deploy a workload in the cloud without any adult supervision are often just as responsible as the developer. It’s just often a lot easier for managers to throw an individual developer under the proverbial cybersecurity bus. When all the forensics concerning how that cloud security breach came about is finally completed, however, the conclusion more often points to manager that failed to create explain and maintain a consist set of processes than it does to some rogue developer that for no apparent reasons decided to deploy an application on a public cloud without first asking for any permission.'Cloud service providers tout the importance of shared cybersecurity responsibilities, which is their way of saying we only secure the infrastructure. As far as the application is concerned, every customer is mostly on their own.' #DevSecOpsClick To Tweet
Barracuda Cloud Security Guardian
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.