Ryan Sheldrake, Field CTO EMEA, Lacework
The growth in cloud usage over the past decade is undeniable. Increasingly, enterprises across the globe are continuously taking advantage of the elasticity and scalability cloud provides – in some cases driven by the COVID-19 pandemic and the massive shift to online working, and now following the easing of restrictions, to support a hybrid workforce. This acceleration of what many call “digital transformation” is a good reminder of the importance of cybersecurity as a key consideration from the get-go when moving to a cloud environment. The good news is that the industry is moving in the right direction: Gartner predicts a further shift left for security and mainstream adoption of DevSecOps by 2022. Yet, scaling the cloud fast while prioritising security is no easy task, and with increasing cyberthreats, a critical digital skills gap in the cloud, and the deluge of data overwhelming security analysts, there are a number of factors to consider in order to securely migrate to the cloud.
For IT teams under pressure, choosing the fastest way to migrate to the cloud may seem like the best solution. A ‘lift and shift’ approach, where applications are transported from on-premises to cloud environments regardless of what infrastructure they were designed to function in, is therefore disappointingly popular. It is not the most appropriate solution when it comes to security, and in fact, can increase risk. So, what is the answer for understaffed DevSecOps teams hoping to reduce cloud vulnerabilities, while also embracing digital transformation at rapid speed? The two solutions go hand-in-hand: automation and visibility.
Security under pressure
According to recent studies, around two-thirds of organisations believe security is the biggest challenge when it comes to cloud adoption, and many organisations worry they do not have the expertise to effectively address these issues. As the global cloud computing market grows, many enterprises are falling victim to the digital skills shortage, with cloud security positions particularly difficult to fill. In fact, reports from 451 Research highlight that 86% of companies struggle with the skills gap for implementing cloud. It is a challenge to find professionals with the breadth of knowledge to protect against the increasing sophistication of large cybercriminal gangs or ransomware groups. Along with these rising threats and lack of experience inevitably comes the execution of more ad-hoc cloud security tools to mitigate risk faster. This approach only adds to the layer of complexity, making an organisation even more vulnerable.
Understandably, IT professionals harbour some anxieties around how to effectively configure and secure the cloud environment. As external and internal pressures mount, teams can be forced into making riskier decisions and implementing applications that are not wholly suitable for the business. In the industry, the ‘lift and shift’ approach is also known as the ‘wheelbarrow effect’: throwing an application into a ‘wheelbarrow’, transferring it to the cloud and letting it run as it is. The key drawback here, however, is that this application was never designed to work within a cloud environment and will therefore lack observability capabilities that could seriously risk cloud security. What’s more, the migration process will slowly come to a standstill once visibility is impaired, and teams will lose the ability to monitor all data in motion. With no clear line of sight into traffic, the cloud infrastructure can be plagued with misconfigurations, inefficiencies, and easily penetrable vulnerabilities. It is therefore integral that IT teams avoid introducing non-cloud-native applications into the cloud environment, regardless of how much pressure they are under.
Observability is key
Visibility is essential when it comes to managing and protecting data in the cloud. As the need to scale and be secure is more important than ever for businesses, IT complexity increases, and it becomes even more of a challenge, if not impossible to manage what you cannot see. Without data analytics and visibility, SecOps teams may be unable to detect the most critical threats endangering their infrastructure.
With today’s complex threat surface, it is all too common for the ‘already known’, less severe attacks to be detected, while the ‘unknowns’ – the Zero Day attacks – go unnoticed. Therefore, CISOs and their SecOps teams must prioritise a new approach that involves analysing data anomalies and behavioural outliers. While Zero Days typically evade traditional tooling, increasing cloud visibility greatly improves the chance of early detection, and automated Machine Learning (ML) solutions can pick up unusual behaviours and flag them as high-risk alerts for SecOps teams to take action. By implementing autonomous technologies that shift away from the traditional approach to security, the pressure on the human workforce is greatly relieved.
Ultimately, cloud security cannot be efficient without full cloud visibility. For many CloudOps teams, they are now also considering the implementation of software agents to function autonomously in the cloud and containerised environments. These agents carry out data collection from the workload running in the cloud environments, creating ever-evolving baselines and visualisations of the workload. They can learn from the baselines of the environment and alert on indications of compromise. Again, this technology can ease the pressure on SecOps team, bolstering cloud security three-fold: not only vital to enabling better visibility, but also improving cloud security and supporting the overstretched IT workforce.
While the ‘wheelbarrow effect’ is likely to exist for as long as digital transformation accelerates, it is key that teams remember that moving non-cloud-native applications into the cloud environment will only open the door to more risk. As pressure mounts for DevSecOps teams, it is understandable that many are seeking the quickest route to cloud adoption. Yet fast doesn’t always mean secure, and it is therefore essential that visibility and automation are viewed as integral to enabling a cloud-centric world.