Cloud Computing Security Chaos Continues at RSA Conference 2018

cloud-infrastructure-securityMy esteemed colleague, Doug Cahill, did a great job at the RSA Conference with a killer presentation on hybrid cloud security. Unfortunately, Doug’s presentation occurred on Thursday afternoon, when many conference attendees were catching flights home, packing up their booths, or recovering at a bar somewhere else in San Francisco. Despite the timing, about 150 souls showed up, but I’m guessing that Doug’s conference room would have been overflowing if his presentation was on Tuesday rather than Thursday.

As I wrote in a recent blog, it was important to focus on cloud security at RSA 2018. Why? Organizations are rapidly adopting hybrid clouds with DevOps leading the charge. This places a double whammy on security teams that have little cloud computing experience and a limited relationship with DevOps teams. 

Since Doug gave a stellar performance in explaining the problems and potential solutions to cloud security, allow me to provide a few highlights from his presentation:

  • Cloud computing has become increasingly heterogeneous: 81% of organizations leverage multiple cloud service providers (CSPs) for IaaS including Amazon, Google, IBM, Microsoft, etc.
  • Workloads are moving to the cloud quickly. Today, nearly one-third of organizations run at least 30% of all workloads in public clouds. In two years, more than half (55%) will run at least 30% of workloads in public clouds. Workload types also vary between bare metal servers, VMs, and a growing population of containers.
  • 73% of organizations are using or will use containers for both legacy and new applications.

From a security perspective, this means that security teams must be able to monitor and protect a changing (and growing) array of cloud-based workloads across different public cloud services. What’s more, infosec groups must become tightly integrated into agile development and continuous integration/continuous delivery (CI/CD) DevOps processes.

Not surprisingly, this has created several cloud security challenges:

  • 25% of security respondents say that their organization is challenged with maintaining strong and consistent security across internal data centers and public cloud services.
  • 20% of security respondents say that their organization is challenged with keeping up with the rapid pace of change associated with DevOps.
  • 18% of security respondents say that their organization is challenged because of the inability for traditional network security tools to provide visibility into the cloud.

In summary, cloud security remains inconsistent as organizations don’t have the right tools or processes to monitor activities or keep up with DevOps. Since more and more workloads are moving to the cloud, all I can say is, YIKES!

All is not lost, however. Doug is on top of cloud security progress and hinted at some emerging solutions and best practices he sees including:

  • The rise of a new position: cloud security architect. Twenty-five percent of organizations have had this type of role in place for more than a year while another 18% have had a cloud security architect for less than a year. This data demonstrates a growing trend.
  • Merging security and DevOps. While this is challenging, 15% of organizations are aligning DevOps and cybersecurity extensively, while 19% are doing so somewhat. Another 41% are evaluating an amalgamation of security and DevOps, forecasting stronger integration in the future.
  • Moving toward unified teams, technologies, and processes for all security. Cloud security has been a tactical exercise thus far: 70% of organizations use different people, processes, and technologies to support hybrid clouds. This means inconsistency and redundancy across AWS, Azure, GCP, IBM, and VMware environments. CISOs recognize the growing problem here and are planning for 180-degree changes. In 2 to 3 years, 70% want common security teams, processes, and technologies that span all aspects of hybrid clouds. 

This blog provides a few data points but only scratches the surface of Doug’s presentation. Fortunately, the good folks who run the RSA Conference provided links to all presentations. Those who want more detail can download Doug’s full presentation here

Topics: Cybersecurity RSA Conference