I attended the Gartner Security & Risk Management Summit in National Harbor, Maryland last week, leaving me plenty to write about. Cloud security emerged as one of the central themes of the conference — from building new standards at the serverless layer to achieving 360-degree network visibility to rule-based traffic segmentation strategies and much much more.
“More clouds means more security exposure,” Jay Heiser asserted in his opening presentation, The State of Cloud Security 2018. Indeed, everything digital is at least partially going into the clouds and we must prepare ourselves accordingly.
What’s In Store For Cloud Workload Protection?
Neil MacDonald,Vice President & distinguished analyst at Gartner, informed us that the #1 inquiry they get about cloud security regards to cloud workload protection and pointing out that hybrid cloud is becoming the norm for most organizations today.
If moving all or part of our data to this ethereal space is the situation today, than the initial need for security isn’t changing, but the methods underlying it certainly are.
We therefore need comprehensive solutions that work across the different elements of the complex data center environment.
Neil also spoke about the need for an immutable infrastructure and how easy that has become with the introduction of containers. However, when containers are taken for granted as a prominent fixture of our cloud environment, we have to be wary of the blind spots floating beyond plain sight.
This is all a part of making our infrastructures more open and more dynamic. As we make our networks more abstract, more agile, and more scalable, the administrative and security complexity grows exponentially. No wonder that IaaS providers are becoming to look more like king-kongs, in the words of analyst Jay Heiser.
That’s why it’s more important than ever to iron out the cloud security challenges within the organization across all levels - from infrastructure to application to talent.
Serverless is on the Horizon
In a recent survey that Gartner held, they ask respondents about their cloud abstractions and what they will look like by year 2020. Virtual machines were still leading the chart followed by container and serverless, indicating that developers are well familiar with this technology and plan on embracing it even more in the next few years. Although a little more than 50% responded they had no immediate plan for serverless, almost 20% of respondents say they do plan on using it in the next two years.
Cloud Security Architect — from a center of NO to a center of KNOW
As data needs change, so will the structure of organisations. In the coming years, the security architect will move from “a center of NO to a center of KNOW”, says Gartner VP and fellow, Tom Scholtz.
The need to train personnel to address key cloud security challenges is evident and was addressed widely at the summit. It was abundantly clear that cybersecurity is becoming a growing need as our world goes increasingly digital. Analyst Tom Scholtz spoke about this in length saying that security and architect teams should work closely together in order to enable that a security process and controls are in place.
The need for cybersecurity know-how and available hands is so dire that some presenters suggested that a company must either allocate resources for a security vendor or train their team to become security experts. That means the engineers of the future will themselves be hybrids — both computer programmers and security experts.
While Ops and Security professionals currently “stay in their own lanes”, the pursuit of narrow goals will no longer be feasible. We will see a deliberate breaking down of those narrow operational parameters and a convergence of objectives between these two positions. No longer will we be able to silo the roles of Ops and Security. Going forward, SecOps will be the new norm.
Just as Dev today cannot afford to be blind to the concepts and considerations of Ops, so too DevOps tomorrow will not afford to be blind to the concepts and considerations of Sec. The way forward is clear: to excel, the industry will need to embrace interdisciplinary collaborative teams.
Hybrid Cloud Requires a Hybrid Team
Hybrid cloud also requires a hybrid team to operate, manage and secure it. You will still need to optimize your data center as your create hybridized teams in hybrid work environments. And when your DevOps becomes DevSecOps, you’ll need a streamlined building, testing, and security strategy in the cloud. This will helps brings everything and everyone together seamlessly and securely.
In the end, transparency is the key to keeping these dynamic multidisciplinary environments and teams working smoothly and in a secured manner. As Google Cloud's product lead pointed out, the notion of building a trusted cloud product is by delivering visibility and transparency, and simplifying control implementation.
The bottom line: if you’re not on-top of the security game in the cloud, you should be. It’s going to take the whole organization to keep you up and running. That means bringing in a top-notch experts, training a well-rounded team, and getting everyone in on the discussion as you problem-solve cloud security challenges.