Heterogeneous Multi-Dimensional Cloud Security

CISOs are scrambling to find the right policies, processes, controls, and monitoring to keep up with enterprise deployments of a multitude of cloud technologies.

According to ESG research, 75% of organizations use public cloud services of one kind or another today (note: I am an ESG employee). A majority (65%) use SaaS, 38% use IaaS, and 33% use PaaS.

In terms of IaaS, Amazon Web Services (AWS) is still the king of the hill, but many large enterprises are implementing or kicking the tires on alternatives. Microsoft is pushing clients with enterprise client access licenses (ECAL) toward Office365 and Azure, IBM is winning SoftLayer deals with large customers, and Google Cloud Platform is gaining traction in the life sciences industry.

With all of this cloud momentum, we see a new compute model evolving that ESG calls heterogeneous multi-dimensional cloud infrastructure. Simply stated, heterogeneous multi-dimensional cloud infrastructure is sort of a hybrid cloud on steroids where enterprises have a little bit of everything – AWS, Azure, OpenStack, SoftLayers, VMware, etc., on-premise and in the public cloud.

As you can imagine, it’s an absolute bear to secure heterogeneous multi-dimensional cloud infrastructure. Why? The technology is immature, and each individual cloud platform has its own administration, controls, logs, and idiosyncrasies. This makes it difficult to apply common cybersecurity policies, processes, and technologies across heterogeneous clouds. 

CISOs at large enterprises have also identified a few specific security problems in this domain including:

  1. Organizations that simply “throw cloud security over the wall.” Business managers, DevOps specialists, and data center operations teams often move production workloads to private or public cloud infrastructure and then ask security questions later. This forces the CISO to play a continuous game of catch up. The security team is instantly overwhelmed, leaving organizations much more vulnerable than they imagine.
  2. A legacy security technology conundrum. Many well-intentioned CISOs want to maximize ROI on their security investments by trying to secure cloud-based workloads with traditional security tools like firewalls, IDS/IPS, and antivirus software. Unfortunately, ESG research indicates that this strategy is a detour that ends up wasting precious time and money along the way. Having tried and failed to manage security the old fashioned way, many CISOs then embrace a software-defined security model – one reason why cloud security solutions from Cisco, CloudPassage, Evident io, IBM, Illumio, Trend Micro, vArmour, and VMware are getting some much attention. 
  3. Cloud security monitoring blind spots. As the old saying goes, ‘you can’t manage what you can’t measure.’ In this case, you can’t secure cloud-based activities you know little about. Enterprises want to monitor cloud computing through tried-and-true tools like ArcSight, LogRhythm, QRadar, or Splunk, but it isn’t always easy and may require some nuanced creativity to get there. 
  4. An acute shortage of cloud security skills. Think it’s hard to recruit and hire cybersecurity professionals in general? Try finding someone who is an infosec and cloud computing expert – it’s virtually impossible to do so.

How can CISOs address these challenges? The most successful one’s we’ve talked to treat heterogeneous multi-dimensional cloud security with DevOps processes and software-based security services. In other words, cloud security starts to look a lot like cloud computing software development, administration, and operations. Good model, but it does requires some pretty big changes to IT/security teams, security policies, and security controls for starters.

My colleague Doug Cahill and I will be on the lookout for heterogeneous multi-dimensional cloud security innovation and thought leadership at the upcoming RSA security conference. Stay tuned, as this area is changing fast!

Copyright © 2016 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.