Cloud usage is growing rapidly. IDC says today’s “cloud first” strategy is already moving toward a “cloud only” strategy, with cloud expected to account for nearly 70% of enterprise IT infrastructure and software spending by 2020.1 As of 2016, nearly 90% of organizations were using some type of public cloud service.2
The growing use of public cloud, however, is exposing organizations to new security threats that cannot be properly addressed through traditional data center and endpoint security technologies and methodologies. Without a modern, cloud-native approach, security will be compromised because of a variety of factors, including:
- New architectures: The cloud is architected differently than legacy data centers, thus requiring new security approaches. Because the cloud is API-centric, traditional tools such as penetration tests and network scans are unreliable.
- The rise of DevOps: In far too many cases, DevOps teams are on their own when it comes to using public cloud, which can leave central IT and security teams uninvolved, uninformed and unaware. With some organizations pushing hundreds or thousands of code changes into production each day, IT and security teams need a new means to monitor what is going on.
- A more sophisticated threat landscape: While DevOps teams have automated their code deployment processes, hackers have kept pace, deploying similar tactics to automate attacks. In addition, the attack surface has changed, meaning there is no path of traffic to monitor anymore. As such, security teams need new tools to ensure they have visibility into all of the organization’s cloud applications.
The four-step program
These challenges can be addressed by employing a modern, cloud-native security platform that leverages automation to provide continuous monitoring, analysis and remediation for cloud security and compliance.
This is a new model that offers much greater protection in the cloud than traditional security platforms. Top cloud security experts, including the management team at leading cloud security provider Evident.io, say it is important to focus on four key elements to achieve continuous and automated cloud security and compliance. They are:
- Real-time discovery to keep up with the fast pace of change in the cloud: With the enormity of deployments in the cloud, it isn’t unusual for organizations to have millions of data points that need to be evaluated. You need a platform that can handle all the data in real time and rapidly isolates any security variation or deviation from known good state(s).
- Deep insights to identify risks that might not be obvious: When teams are very large, communication can falter. Your platform should let teams own their own security, while also providing a big-picture view to security operations teams and corporate management. The platform must be able to evaluate security data in isolation, as part of the global customer base or across time and geography, to warn about potential issues before they occur.
- Automated action: Organizations need to automate not only monitoring and analysis, but also remediation to keep up. They should have flexibility in determining the course of automated response, with the ability to inform human administrators if there is any other action that may be required.
- Robust reporting: Teams need to be able to measure and demonstrate security and compliance progress daily, not just during the yearly audit. With the right platform, you should be able to view your past and present security and compliance stances at the push of a button.
As organizations continue to rely on public cloud to drive day-to-day business activities as well as innovation, they must reduce security risks and simplify the processes involved in ensuring protection and compliance. Continuous security and compliance present a new opportunity to maximize the value of the public cloud while minimizing risk.
In evaluating potential cloud security platforms, it is important to focus on key features such as automation, real-time discovery, deep insights and robust reporting. It’s often said that the cloud changes everything, but one thing it does not change is the need to ensure security and compliance.
1 “IDC Sees the Dawn of the DX Economy and the Rise of the Digital-Native Enterprise,” IDC, Nov. 1, 2016
2 “RightScale 2016 State of the Cloud Report,” RightScale, Feb. 9, 2016