Moving to the Cloud? Be Ready to Embrace Complexity

The Cloud Security Alliance (CSA), an organization that works to raise awareness about best practices for secure cloud computing environments, has been especially busy of late—churning out findings related to cyber security and the cloud.

There’s lots of content that should be of interest to organizations looking to expand their cloud activities, so we’ll break it up into two posts.

First, let’s look at a report CSA recently published about the challenges of managing security in a hybrid cloud environment. The study, “Cloud Security Complexity: Challenges in Managing Security in Hybrid and Multi-Cloud Environments,” was commissioned by AlgoSec and is based on an online survey of 700 IT and security professionals worldwide conducted by CSA from December 2018 to February 2019.

The report notes that cloud platforms include ecosystems of services that are not always fully compatible with each other, causing data ownership and interoperability issues. “Today’s cloud adoption requires focused attention on data migration, expert levels of knowledge per service, and understanding of vendor security and responsibility,” the study said.

One of the challenges with a multi-cloud integration is assigning assets to different types of cloud environments, including public and private cloud services, as well as multiple cloud public platforms and

services, the report said. The various cloud options also need to be integrated with on-premise networks and other third-party services.

Adding to the complexity, an organization’s ultimate computing environment must be able to remain secure and stay current with regulatory compliance protocols.

When survey respondents were asked to rank those aspects of managing security in public clouds that they found challenging, they cited proactively detecting misconfigurations and security risks as the biggest challenge.

That was closely followed by a lack of visibility into the entire cloud estate. While only about one third of respondents identified visibility as a concern that has arisen when their organization considered adopting a public cloud, more than three quarters rated visibility as a challenge related to managing their security once in the public cloud.

When asked about the level of challenge presented by lack of visibility into the entire cloud estate, 44% of the respondents reported this issue to be a moderate security challenge, and 36% reported it as a maximum challenge.

Also among the top five factors making security management challenging were audit preparation and compliance, holistic management of cloud and on-premises environments, and managing multiple clouds.

Human error and configuration mistakes are the biggest causes of outages, according to the report. About 11% of the respondents reported a cloud security incident in the past year, and 43% had a network or application outage. The leading causes of the outages were operational/human errors in management of devices (20%), device configuration changes (15%), and device faults (12%).

Organizations are facing unique new security concerns, particularly when they integrate multiple cloud services and platforms into an already complex IT environment, said John Yeoh, vice president of research at CSA.

The report’s findings illustrate how important it is for organizations to have good visibility into the cloud and management across their increasingly complex hybrid cloud environments. By doing this they can maintain strong security, reduce the risk of outages and misconfigurations, and fulfill audit and regulatory compliance demands.

Among the key findings of the study are that compliance and legal challenges are major concerns for companies when moving into the cloud. More than half of those surveyed (57%) cited regulatory compliance as a concern and 44% cited legal concerns.

Security is the major concern in cloud projects, with 81% of cloud users saying they encountered significant security concerns. Concerns over risks of data losses and leakage were also high with users when deploying in the cloud (cited by 62%). That was closely followed by regulatory compliance concerns (57%) and integration with the rest of the organizations’ IT environment (49%).

“The survey illustrates the need within our industry to better address these issues before adopting cloud technologies, in order to create practical and manageable network environments--rather than simply putting out fires as they arise after deploying new technologies,” the report said.

The study also shows the need to maintain skills related to cloud services during the growth of these services, in order to stay current with new features and functionality.

Many organizations will no doubt continue to migrate more and more of their workloads to cloud-based resources. As cloud computing environments become even more complex, the report said, it’s critical for organizations to have visibility into their cloud-based resources and be able to trust the expertise of their own security staff as well as their cloud provider’s staff.