My esteemed colleague Doug Cahill did a great job at the RSA Conference with a killer presentation on hybrid cloud security. Unfortunately, Doug’s presentation occurred on Thursday afternoon, when many conference attendees were catching flights home, packing up their booths, or recovering at a bar somewhere else in San Francisco. Despite the timing, about 150 souls showed up, but I’m guessing that Doug’s conference room would have been overflowing if his presentation had been on Tuesday rather than Thursday.
As I wrote in a recent blog post, it was important to focus on cloud security at RSA 2018. Why? Because organizations are rapidly adopting hybrid clouds, with DevOps leading the charge. This places a double whammy on security teams that have little cloud computing experience and a limited relationship with DevOps teams.
Since Doug gave a stellar performance in explaining the problems and potential solutions to cloud security, allow me to provide a few highlights from his presentation:
- Cloud computing has become increasingly heterogeneous. Eighty-one percent of organizations leverage multiple cloud service providers (CSPs) for IaaS, including Amazon, Google, IBM, Microsoft, etc.
- Workloads are moving to the cloud quickly. Today, nearly one-third of organizations run at least 30 percent of all workloads in public clouds. In two years, more than half (55 percent) will run at least 30 percent of workloads in public clouds. Workload types also vary between bare metal servers, VMs, and a growing population of containers.
- Seventy-three percent of organizations use or will use containers for both legacy and new applications.
From a security perspective, that means security teams must be able to monitor and protect a changing (and growing) array of cloud-based workloads across different public cloud services. What’s more, infosec groups must become tightly integrated into agile development and continuous integration/continuous delivery (CI/CD) DevOps processes.
Cloud security challenges
Not surprisingly, this has created several cloud security challenges:
- Twenty-five percent of security respondents say their organization is challenged with maintaining strong and consistent security across internal data centers and public cloud services.
- Twenty percent of security respondents say their organization is challenged with keeping up with the rapid pace of change associated with DevOps.
- Eighteen percent of security respondents say their organization is challenged because of the inability for traditional network security tools to provide visibility into the cloud.
In summary, cloud security remains inconsistent because organizations don’t have the right tools or processes to monitor activities or keep up with DevOps. Since more and more workloads are moving to the cloud, all I can say is, YIKES!
Emerging cloud security solutions and best practices
All is not lost, however. Doug is on top of cloud security progress and hinted at some emerging solutions and best practices he sees, including:
- The rise of a new position – cloud security architect. Twenty-five percent of organizations have had this type of role in place for more than a year, while another 18 percent have had a cloud security architect for less than a year. This data demonstrates a growing trend.
- Merging security and DevOps. While this is challenging, 15 percent of organizations are aligning DevOps and cybersecurity extensively, while 19 percent are doing so somewhat. Another 41 percent are evaluating an amalgamation of security and DevOps, forecasting stronger integration in the future.
- Moving toward unified teams, technologies and processes for all security. Cloud security has been a tactical exercise thus far – 70 percent of organizations use different people, processes, and technologies to support hybrid clouds. This means inconsistency and redundancy across AWS, Azure, GCP, IBM, and VMware environments. CISOs recognize the growing problem here and are planning for 180-degree changes. In two to three years, 70 percent want common security teams, processes, and technologies that span all aspects of hybrid clouds.
This blog post provides a few data points but only scratches the surface of Doug’s presentation. Fortunately, the good folks who run the RSA Conference provided links to all presentations. Those who want more detail can download Doug’s full presentation here.