Security is one of the first boxes to tick in the journey to the hybrid cloud, yet it’s still the one giving IT teams the most headaches. The recent 2020 State of Application Services Report, a survey of 2,600 respondents globally across all verticals, backs this up. Respondents listed the top challenges in managing a multi-cloud environment as:
- Applying consistent security policies across all applications
- Protecting applications from existing and emerging threats
Worse, Gartner estimates that most enterprises will still continue to struggle with appropriately assessing cloud security risks through 2024. These risks are painfully real and can lead to disastrous results as we saw with the Capital One breach from last year: A simple firewall misconfiguration exposed over 100 million customer records to the Web.
Given the damage that security failures can do (the Ponemon Institute puts the average cost of a data breach at $3.92 million), it’s little wonder that managing and mitigating them is top of mind for CIOs and IT teams. Still, no matter how much companies invest in tools and platforms meant to protect their data and other valuable assets, the fact of the matter is this: The people using these tools, along with the security and governance processes you put in place, will ultimately determine whether your journey to the hybrid cloud goes smoothly or ends in a costly trainwreck.
It’s not them, it’s you
Let’s get one thing straight off the bat. This story isn’t about going after the “bad guys,” the ones lurking nefariously in the shadows or behind the glow of their computer screens. Cloud security risks aren’t about persistent threats from the outside. In fact, almost all cloud security risk arises from the misconfiguration of technology and plain old human error. To put it bluntly, Gartner predicts that through 2025, 99% of cloud security failures will be the fault of the cloud purchaser/user.
How does Gartner recommend companies address these risks? Taking a lifecycle approach to cloud governance and relying on central monitoring to deal with the inherent complexity of multi-cloud use.
Give developers the keys to the car
If your DevOps and other enterprise teams can’t get the resources they need, when they need them, they’ll circumvent IT and do it themselves. This type of “shadow IT” is often the cause of the internal security risk we just mentioned. If a user misconfigures a firewall or accidentally keeps administration ports open in applications, you can have a major firestorm on your hands.
To enable easy access to cloud resources, enterprises should set their sights on developing a self-service delivery model — but one that has safeguards in place. By providing developers with a self-service portal that allows them to get resources in a timely manner, you’ll reduce your risk of employees unwittingly undermining your hybrid cloud security plans.
And make sure that car has the best safety features
Of course, the car you give your developer team has to have the best security features – you don’t want anybody driving off the road. Fortunately, giving people what they need doesn’t mean giving up control.
With a self-service model, IT teams can maintain a lot of control over user permissions, configurations, and usage rates. One way to exercise this control is through the use of blueprints or templates for specific resources. For example, IT can configure those blueprints to determine who can request resources like compute, storage, and networking and where those resources should be deployed. Moreover, for deployment of complex resources like multi-tier, application stacks, preconfigured blueprints can ensure standardized, consistent, and well-governed deployments every single time.
Governance aside, the key to maintaining control of your hybrid cloud environment through a self-service model involves building guardrails into the resources themselves. Such guardrails can and should include which groups actually have permission to provision hybrid cloud resources, what exactly they’re allowed to provision, usage quotas, and even expiration dates for unused or rogue resources.
Your journey to the hybrid cloud begins with governance
Security rightfully remains one of the top concerns of CIOs bringing their organizations into a hybrid cloud future. And, as Gartner points out, the security challenges associated with that future have little to do with the technology and everything to do with the organization: “The [security] challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data.”
By focusing on meeting the needs of internal stakeholders through resource automation and protecting the organization through constant oversight of cloud usage, IT can lead the organization safely and securely into their hybrid cloud future.