Oh, what a cloud year 2020 was. Cloud spending grew by 37% in the first quarter of 2020 alone as many quickly understood that COVID-19 would leave them vulnerable if they were still using traditional data centers. Seeing a hockey stick in revenue and enjoying the urgency to drive processes remotely and securely, cloud service providers had an unexpectedly successful year.
Core to this was a rush on public clouds and those who knew how to migrate and build cloud applications. Despite the fact that everyone was working out of their bedrooms, enterprise IT, consulting firms, and the cloud providers themselves were able to keep up with demand and accelerate the movement to the cloud, for the most part.
Although the adoption of cloud computing—either fear-based or otherwise—is perhaps a silver lining to the pandemic, it has caused some new risks as well:
- Security planning has taken a back seat to being expedient.
- Haste has meant that many cloud migration and development projects don’t fully address security dependencies before deployment, and teams have to circle back to fix issues.
- Different development and migration groups are working autonomously, picking whatever security solutions they feel are best of breed without coordinating with the other teams or a centralized governance group.
- Those who attack enterprise systems, including those in the cloud, are well aware of these emerging vulnerabilities and are doing their best to figure out how to exploit them.
- 2021 and 2022 could see larger and more damaging data breaches making the news cycles, cloud or not.
The fact remains that you have better security tools and processes in the cloud, and they are cheaper and easier to set up. It’s been that way for some time, as security technology providers spent their R&D dollars in support of the rapidly emerging public clouds. However, all the greatest security tools in the world won’t help you if you don’t know how and when to deploy them.
What’s occurring now is a “rapid cloud deployment” strategy for many larger enterprises. Good application and database design, performance engineering, and choosing cloud-native features for better user experiences are being left behind for speed. That will get you complaints from users and larger cloud bills. But lack of security will kill you.
The answer is, “Don’t forget security for each stage of migration and/or deployment.” The reality is most enterprises are making this critical error in varying degrees, from needing a few tweaks to having to gut all their cloud security.
My suggestion is fundamental: Security should be centralized, both in authority and selection of standard technology throughout the enterprise. This means that one organization is charged with working with all migration and deployment teams to ensure that security is not only a repeating pattern, but that most are leveraging cloud security technologies that will work and play well together across cloud brands and from traditional systems to the cloud.
The danger here is that these “cloud security overlords” will be dummies and won’t provide the correct support and coordination. Those who show up with only PowerPoint presentations, for instance, and no lists of tools and specific guidance on how to use them are not at all helpful.
This one goes to you CIOs, CTOs, and even CEOs. Your jobs are on the line with this kind of risk; it’s time to get these vulnerabilities under control with some noninvasive security governance. Just avoid hiring or promoting those who will make things worse or more confusing.
By paying a bit more attention, moving to the cloud to remove pandemic-related risks could be a security upgrade as well. Your choice.