Remember back when the primary complaint holding back cloud computing was security?
My, how times have changed.
Today, the gathering consensus is that cloud-based security trumps on-premise offerings, and that our attempts to keep one foot in the data center and another in the cloud cripples our ability to secure data.
In other words, given that your sensitive data is going to live in the cloud, your security had better, too.
A world gone cloudy
The problem with traditional enterprise security is that we no longer have traditional enterprise workloads. Not in the everything-runs-in-my-own-datacenter sense. As Amazon Web Services revenue suggests, we’re moving to the public cloud, and at a torrid pace.
Take GE, for example. As the company announced at AWS re:Invent, GE is in the middle of decommissioning 30 of its 34 data centers so as to move 9,000 workloads to AWS. While GE may be ahead of the curve, nearly every company has plans to move data to the public cloud.
Not surprisingly, companies that run workloads in the cloud want to secure them in the cloud.
After all, as a new Zscaler-commissioned Forrester report finds, “The rapid and accelerating adoption of cloud computing, mobility, and the Internet of Things (IoT) — coupled with increasingly more sophisticated cyberthreats — has reduced the effectiveness of traditional appliance- and software-based security architectures.”
Furthermore, “[T]he way most security vendors deliver technology is at odds with security professionals’ overwhelming desire for integrated security platforms — the bulk of today’s security market consists of point solutions.”
In short, the old security model simply doesn’t work. And, for those who try to straddle both public clouds and internal data centers, it’s even worse.
Hybrid cloud, full of holes
I get it. Some companies believe their data must be kept in tightly controlled data centers for governance, performance, or security reasons. But let’s be clear: The hybrid computing dream is a security nightmare.
Hybrid deployments often play an essential, yet complex, role in an organization’s transition to cloud computing….But…hybrid deployments bridge risks across environments. Internal problems can extend to the cloud provider, and compromise of something on the cloud side extends to the data center. It’s a situation ripe for error, especially in organizations which already struggle with network compartmentalization.
However much we may believe we’re playing it safe by keeping sensitive workloads on-premise, the opposite is likely true.
No one sets out to create such security problems, of course.
Some problems arise precisely because we’ve tried to lock things down so much that developers sidestep policies to get stuff done. As Gartner analyst Lydia Leong notes, “Many [enterprises] allow developers relatively unfettered access to the cloud [Infrastructure-as-a-Service] provider’s capabilities, further increasing the complexity of security management and potentially increasing the attack surface available to malefactors.”
Other enterprises, in a race to keep up with an ever-changing market, build on the shaky foundation of legacy code (“building skyscraper favelas in code—in earthquake zones,” as Professor Zeynep Tufekci vividly describes), or patch together new code running in the cloud with old code resting on internal servers.
Either way, attack vectors proliferate.
Trust the cloud
There is, of course, no easy answer to this conundrum. And, even if we get architecture spot on, run everything in one place (public cloud or internal data centers), and otherwise do everything perfectly, we’re still going to struggle with security.
Because, well, people.
According to the 2015 Data Breach Industry Forecast, employees were the root cause of 60% of security exploits last year. That problem will always be with us.
However, as more enterprises move workloads to the cloud, and secure those workloads in the cloud, there’s a good chance that security will get better, as the public cloud providers provide superior security to internal security teams.
No wonder, then, that Capital One CIO Rob Alexander took to the stage at AWS re:Invent to declare that he trusts AWS security over his in-house security. That’s not an indictment of his security team so much as a compliment of Amazon’s, not to mention a complete reversal of the old myth that the only way to really secure enterprise data is within one’s own datacenter.