2020 has introduced unprecedented operational challenges for businesses due to government-mandated remote working, school closures, and social distancing. To adapt, many have recognized the importance of integrating business and digital strategies and the value of agile and scalable cloud-based infrastructure. However, as businesses migrate to the cloud and ramp up usage, security can often be an afterthought.
This year’s Oracle/KPMG Cloud Threat Report revealed that 40% of respondents feel the public cloud is more secure than their on-premises infrastructure. While that’s true—security in the public cloud shouldn’t be something to fear—it’s important to understand what your organization’s responsibility is to security and whether your processes can account for that.
Under the Shared Responsibility Model, the security of applications and data in the cloud is a shared responsibility between the cloud provider and the customer. Cloud providers ensure the responsibility of the cloud infrastructure, which includes the physical hardware and virtualization layer running different IaaS services, while the customer is responsible for the security of the guest operating system, applications, virtual firewalls, and configurations that control access to their data in the cloud.
Without the proper cloud visibility and processes in place to meet these requirements, organizations embracing the cloud can compromise security and compliance for speed, scale, and flexibility. The Oracle/KPMG Cloud Threat Report found that 92% of respondents admitted that their organization has a gap between current and planned cloud usage and the maturity of their cloud security program. With the rapid growth of cloud services and adoption, there’s a clear cloud security readiness gap that organizations need to address.
Why is there a gap in cloud security readiness?
Before diving into how to bridge the cloud security readiness gap, it’s important to understand why this gap exists today. Here, we’ve identified eight primary causes, coming from a combination of internal, external, and environmental sources:
- Silos between the security and business/development teams—the belief that working with the security team impedes speed and time-to-market
- Too many disparate security tools in place that create complexity and confusion. On average, research estimates that organizations use over 100 discrete cybersecurity tools!
- Lack of education and compliance parameters for users—as part of the Oracle/KPMG research, only eight percent of respondents understand their role in the shared responsibility model
- Limited, incomplete, or inaccurate visibility into cloud environments and usage
- Ignoring the rule of least privilege
- Cloud misconfigurations—e.g. unprotected credentials, disabled logging, unrestricted inbound access, etc.
- Lack of automation—e.g. governance policies, configuration updates, runtime controls, etc.
- Increased number of malicious threats and cybercriminals
How do we bridge the cloud security readiness gap?
Now that we’ve outlined the primary reasons for the cloud security readiness gap, let’s talk about what you can do about it.
The Oracle/KPMG Cloud Threat Report shows businesses are thinking about transforming their organizational model for a more unified approach. We agree!
One of the most common approaches is through the Cloud Center of Excellence (CCoE) model. A functional CCoE delivers a coordinated approach to cloud management—maximizing all the benefits of the public cloud while maintaining security and compliance.
Typically a CCoE will span three core areas of excellence: cloud financial management, cloud operations, and cloud security and compliance. The owners of each area of excellence can drive consistency across the organization and find opportunities to share best practices between teams and lines of business.
An effective way to do this is to adopt a framework that can be used to improve within each core area of excellence. The below image shows the cloud maturity model for security and compliance with the four phases of maturity: visibility, optimization, governance and automation, and business integration.
Most security vulnerabilities are the result of misconfiguration due to human error. By following the cloud maturity model, the CCoE can bring together key stakeholders across DevOps, IT, Finance, and Security teams to collaborate at each phase of maturity:
- Visibility: Attain complete visibility into usage across all accounts in your cloud environment to understand your configuration challenges.
- Optimization: Identify the areas that have the largest impact on your business and align on actions to resolve them, with the full organization-wide impact of those actions taken into account.
- Governance and Automation: Create policies for usage based on your optimization efforts, communicate these policies throughout your organization, and implement automation to notify the right people to take action when policies are violated.
- Business Integration: Establish a continuous feedback loop into the CI/CD pipeline for security teams to refine their policies over time and for developers to adopt best practices.
When it comes to security in the cloud, the CCoE has proven valuable to ensure that best practices and policies are in place to mitigate misconfigurations and other security and compliance risks without inhibiting teams from achieving development goals.
As cloud usage increases rapidly, ensure your cloud security is keeping up. Bridge the gap between your cloud usage and the maturity of your cloud program by identifying where you stand currently in the cloud security maturity model and follow best practices to advance along the curve.
Learn more in our whitepaper: Building a Successful Cloud Infrastructure Security and Compliance Practice