While the cloud is amazing, a worrying lack of visibility goes along with it. Keep that in mind as you develop your security approach.
Like many of my peers, I marvel at the amazing ways the cloud has changed our lives and how we work. At the same time, I’ve lost untold hours of sleep worrying about the security risks this transformation creates. As a CISO, I spend a big chunk of every day planning for, evaluating, and responding to different types of threats to our network and applications. But that’s not what keeps me up at night—it’s the areas of exposure and lack of visibility that I know exist and yet have a limited ability to address. Basically, the things that don’t go bump in the night.
As companies move more of their infrastructure, applications, and data to the cloud, and as that move makes it easier to deploy and use new technology within our organizations, we’re creating gaps in visibility that make even the most battle-tested of CISOs sweat. Information security is our stock in trade, but visibility and knowledge are our currency. Knowing all there is to know about what is happening at any given time from the infrastructure to the middle and to the app layers is critical in maintaining a comprehensive security posture.
And so, as we hit the cloud era in full stride, we must face two realities: First, all the flexibility, speed, and scale the cloud brings will cost us no small measure of visibility and knowledge despite cloud providers’ best efforts in logging and control. We are accustomed to having full control of everything happening across our networks. But now, as more of our data resides in the public cloud, we aren’t always able to see who is accessing that data and what they’re doing with it. As we move our infrastructure to Amazon, Microsoft, or Google, do we get comprehensive activity logs that show us how our information is moving throughout their network infrastructure? Not today, we don’t.
Second, as the proliferation of devices and decentralization of the workforce dissolve the traditional perimeter, our greatest area of exposure is no longer the network but the applications themselves. Yet a significant majority of resources still go toward network security rather than securing the app. According to a recent study we partnered on, 18% of IT security budgets go to application security while 39% goes to traditional network perimeter security. And the complexity of this issue grows exponentially as companies adopt and deploy more and more services and apps across public cloud, data center, and virtualized environments. Threading together a single comprehensive picture of what is happening to your critical content and apps has become incredibly challenging.
So what do we do? Of course, security needs to be an integral part of any cloud adoption strategy. Smart CISOs identify areas of exposure and blind spots and implement a strong risk management plan that includes solutions that can help close those gaps. And as many companies introduce DevOps models, it will be more important than ever to embed automated security testing alongside automated functional testing. Today, DevOps teams focus on standard function testing, but we need to create a similarly standard security testing protocol and address security up front in the development process that ensures we don’t sacrifice security in our aims to speed up app deployment.
The cloud will mature and we will see newer, better ways of monitoring, tracking, and logging activities—giving us back the visibility we need to ensure the safety of our data. With that will come the ability to more effectively use machine learning and advanced analytics to automate functions, anticipate threats, and orchestrate responses.
As security professionals, we are too often in the position of explaining to people in our organizations why we can’t do something. But it doesn’t have to stay this way. With a security approach that addresses the threats of today and tomorrow — and a few of the emerging advances mentioned in the previous paragraph — we can have the confidence to shift our mindset, and start saying yes more than no. And maybe, just maybe, get a few more hours of sleep.
Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide … View Full Bio