As enterprises bridge their adoption patterns for public cloud from isolated pilot projects to fully scaled environments, they're going to need to get serious about adjusting their cybersecurity strategy and architecture to accordingly. According to the thinkers at McKinsey & Company, that sea change needs to start now. In a new report out last month by the consulting firm, enterprises are finally doubling down on their public cloud experiments over the last decade. And that means an impending cascade of public cloud usage in critical infrastructure that previously remained entrenched in the on-prem world.
Based on an in-depth study of enterprise cloud usage, the report showed that 40 percent of firms have 10 percent or more of their workloads on public clouds. But that number is primed to rise in the next three years. Around 80 percent of firms say they're going to get above that 10 percent threshold or double their cloud penetration in that time frame.
Taking a look at the aggregate server workloads amongst all enterprises studied by McKinsey, 19% of all workloads are now on the public cloud. In three years, that is supposed to surge to 38%.
That kind of expected uptick has implications up and down the IT strategy spectrum, but it should especially be spurring some very serious strategy discussions amongst the security crowd. The good news is that most CISOs are ready to have those talks. Security leaders these days have graduated beyond giving cloud deployments the long side eye and are aware that they can come with some marked benefits--and not just for business agility.
"Interestingly, our research with chief information security officers (CISOs) highlights that they have moved beyond the question, 'Is the cloud secure?'" write report authors Arul Elumalai, James Kaplan, Mike Newborn and Roger Roberts. "In many cases they acknowledge that cloud-service providers’ (CSPs) security resources dwarf their own, and are now asking how they can consume cloud services in a secure way."
This is no small feat. Whereas the problem before was simply a matter of vetting third-party providers and ensuring secure connections and access controls in and out of a few limited cloud instances or services, now it's an architectural problem. When enterprises move to the cloud at scale, they can't use the legacy architectures and practices that were developed for an on-premises world.
"It can be tempting to build a public-cloud cybersecurity model using the controls it already has for on-premises systems," write McKinsey's experts. "But this can lead to problems, because on-premises controls seldom work for public-cloud platforms without being reconfigured. And even after being reconfigured, these controls won’t provide visibility and protection across all workloads and cloud platforms."
Rethinking the Perimeter
As they explain, not only do enterprises need to be rethinking a cloud-centric cybersecurity model, but they also need to redesign a full set of controls specifically for the public cloud. They say that one of the biggest issues is figuring out how to manage the network perimeter.
This is not a new topic for CISOs--we've been talking about the death of the perimeter for a long time now. But the fact is that many leaders have kicked the can down the road with regard to how they've designed their network topologies and boundaries. For the time being, many have been content with the status quo, waiting until a point in time where cloud usage really started hitting a critical mass. What McKinsey is essentially saying here is that we're about to reach that inflection point. And its experts aren't the only ones.
Last summer, Gartner prognosticators said that while about 10 percent of corporate traffic bypasses perimeter security today, that number will reach 25% by 2021. And IDC's Frank Dickson had the following to say last fall:
"It is safe to consider the impenetrable network perimeter officially dead, as our data, applications, and our devices cannot predictably be found in the networks that reside behind perimeters. Today, compute, application, and data resources reside on-premises, in the cloud, and simultaneously in both at times. The result is that market for network security products continues to evolve at a frantic past; our market analysis perspective of the network security products market reflects this massive evolution."
Even stock market analysts are taking note of the changing attitudes with regard to the perimeter. In January, shares of next-gen firewall vendor Palo Alto Networks saw a 2.6% decline after a Goldman Sachs analysts noted that the company's firewall market is softening due to public cloud adoption trends.
Clearly, the public cloud is already taking a bite out of the existing on-premises network control hierarchy. But complete anarchy is no answer either, so what options are CISOs moving toward as the cloud muddles traditional boundaries? According to McKinsey, security practices currently have three options for modeling their cloud-centric perimeter designs: backhauling, adopting CSP-provided controls by default, and cleansheeting.
Backhauling is basically a way to shunt traffic through on-prem networks. This is a shortcut method for shoehorning public cloud traffic into legacy security solutions, but it requires a lot of configuration headaches, potential performance issues and other scalability problems. Adopting CSP-provided controls is easier in the short run but it's a bear to manage in multi-cloud environments--the kind that many larger enterprises favor. Cleansheeting, meanwhile, is the wave of the future, using virtual perimeters and cloud-specific controls that can manage complex multi-cloud environments. Of course, this last option requires extensive investment to put in place.
As things stand, around half of organizations use the backhaul method and only around 15 percent tend toward cleansheeting. In three years, only 11 percent of enterprises expect to backhaul and 47 percent say they'll be cleansheeting.
"Despite the high cost and complexity of cleansheeting, organizations choose this approach so they can support multicloud environments and replace point solutions more easily as their needs evolve," McKinsey experts explain. "Cleansheeting is the least popular practice for managing perimeter security today, but more executives say they will use cleansheeting over the next three years than any other model."
Beyond perimeter design, perhaps the second most important shift that will need to occur will be the decision whether to rearchitect applications for the cloud. Right now, only about 27% of firms are rewriting code or altering application architectures to tailor them to cloud environments. Rearchitecture is often done for performance benefits, but it can also improve security attributes by introducing features like improved tamper detection using hash, memory deallocation and encrypted data flows between calls, says McKinsey.
The decisions about the perimeter and application architecture shouldn't be made in a vacuum. As the experts explain, the choices should "inform one another."
"A company might opt, for example, to make its applications highly secure by adding security features that minimize the exposure of sensitive data while the data are being processed," they explain, "and making no assumptions about the security controls that are applied to a given environment."
In other words, rearchitecture may lessen the need to worry overmuch about perimeter boundaries. However, many enterprises feel they can't hold up cloud migration on application rearchitecture. For now around 78% of organizations migrate the bulk of their applications to the cloud without any rearchitecture.
The Cloud-Centric Takeaway
Of course, addressing the perimeter and application rearchitecture problems are just steps one and two in the process of establishing a cloud-centric cybersecurity program. The report says that fully engaged programs must also account for a number of additional key adjustments to controls in areas like identity and access management, encryption policies, operations monitoring and regulatory compliance. For example, at the moment around 60% of organizations still rely on-premises native IAM products to control access to sensitive corporate data.
Needless to say, it's going to take a lot of moving parts. And that's the biggest point you can take from this weighty report--this is no longer an isolated problem that can be solved with a couple of silver-bullet security products. It's going to take serious thought, risk assessment and central planning to develop a cloud-first security strategy.
"Companies are steadily moving more of their applications from on-premises data centers and private-cloud platforms onto public-cloud platforms, which provide superior levels of cost-effectiveness, flexibility, and speed in many situations," the McKinsey consultants explain. "But public-cloud migrations will only succeed if companies maintain the security of their applications and data—a task that some have struggled with."