Public clouds have fundamentally changed the way organizations build, operate, and manage applications. Developers now have easy access to a variety of cloud services and tremendous flexibility in how each service can be configured in order to build complex, modern applications. However, this freedom to innovate also comes with its own set of cloud security risks.
The dynamic nature of the cloud is forcing information security teams to rethink how they operate in order to address emerging security and compliance challenges. In this article, we address three of the most common challenges cloud security practitioners face and recommendations for how to solve them.
3 Cloud security challenges (and how to solve them)
CHALLENGE 1: Security change management can't handle the speed of the cloud
Cloud computing has made DevOps a reality, with developers executing hundreds of code changes every week. The traditional change management approach of meeting once a month (or at any other regular interval) to review the security impact of new updates and changes doesn’t work in the cloud.
SOLUTION: Shift security mindset from blocking teams to building guardrails
To help the business move fast and stay secure, security owners need a shift in mindset. Cloud security teams need to strike a balance between giving developers what they need when they need it, and also putting rules in place to ensure security. To do this, align with your organization’s Cloud Center of Excellence to create a cloud governance program where you define best practices, socialize them, and take action when a policy or standard is violated.
The best security teams today think like developers. They share code examples of correct usage and build security guardrails to ensure someone doesn’t accidentally make a mistake. To help increase cloud security policy adoption, ensure policies are clearly defined and something a developer could actually put into code. For example, if you have a policy that passwords must be complex, it would be better to have a policy that passwords must be greater than 12 characters because a developer can implement this function into their code.
CHALLENGE 2: Lack of skilled staff and appropriate guidelines for security teams
Even though IT teams and developers have been embracing DevOps techniques and building applications in the cloud for years, these technologies are still relatively new for many teams. Finding engineers who are skilled in both security and cloud can be a difficult challenge.
SOLUTION: Train internal teams and leverage cloud security standards
While there is no easy solution to this problem, organizations can start by identifying internal personnel skilled in DevOps and train them in cloud security. These individuals can gradually help raise the overall security awareness amongst development teams. To help organizations get off the blocks quickly, different cloud providers and public sector groups publish cloud-specific best practices and security controls for maintaining compliance with industry regulations. Take AWS’ Well-Architected Framework for example, or the Center for Internet Security (CIS) controls.
CHALLENGE 3: Traditional security tools don’t protect resources in the cloud
Cloud environments are extremely dynamic and the lifecycle of resources is often short-lived. Network parameters such as IP addresses and network ports are no longer reliable, and perimeter firewalls and other solutions that served security teams for years in the data center no longer work in the cloud.
SOLUTION: Use a cloud security posture management solution
Unlike traditional security solutions, cloud security posture management solutions leverage cloud APIs and event logs to provide visibility into service configuration risks in the cloud. Many of these solutions provide out-of-the-box implementation of security controls recommended by different cloud providers and industry standards such as CIS, NIST, GDPR, and HIPAA. While selecting the right cloud security solution, security teams should compare how different solutions model configuration risk, factoring in service dependencies, the speed at which they detect changes in the cloud, and the integrations available to enable all security stakeholders.
Here we’ve listed three of some of the most common cloud security challenges, but this is by no means an exhaustive list. To stay ahead of all the potential security challenges and risks in the cloud, organizations should establish a cloud security and compliance practice.
For more information on how to get started, see our in-depth whitepaper, which breaks down the four phases all organizations tackle in their cloud security journey, along with example KPIs to track and measure success in each phase.