Just a few days left before this year’s RSA Conference in San Francisco and everything points to a crazy week at the Moscone Center. I’ve heard that around 50,000 people will attend and that the Moscone Center is a mess of construction right now, so just getting in and out of the buildings may be difficult.
Now, I’ve written a lot lately about my outlook for RSA as I expect a lot of banter around endpoint security, machine learning, security operations automation and orchestration, threat intelligence, risk management, etc. Yup, there will be a smorgasbord of topics throughout the week, but cloud security will dominate this year’s RSA Conference.
Why the focus on cloud security? Because today’s messy situation is a mismatch for the importance and pace of adoption of cloud computing.
Here at ESG we’ve been tracking cloud security, led by my colleague and cloud security guru Doug Cahill. Here’s a brief synopsis of the cloud security landscape today:
- Organizations are creating, hiring, and training people to become cloud security architects but this is a fairly new trend. Twenty-four percent of organizations recently established this position, while another 18% claim that this position has been in place for less than one year and 26% say this position has been in place for a year or more. This lack of cloud security leadership means that the industry needs to fill the knowledge gap with training, lessons learned and best practices. CISOs will be seeking this out at RSA.
- Cloud security involves different teams including the security team, networking team, data center infrastructure team, and DevOps. RSA is a great place to share stories and find experts who can help organizations build collaborative processes and communications between these groups. Navigating this group dynamic is also important for security technology vendors who may have to sell to and work with unfamiliar constituencies.
- Recent ESG research reveals top cloud security challenges including the following:
- 25% of organizations say maintaining strong and consistent security across our own data center and multiple public cloud environments. Users need consistent security policies and centralized command-and-control for cloud security tools. They will be looking for guidance and solutions at RSA.
- 23% of organizations are challenged by employees signing up for cloud applications without the approval of IT. After several years, CIOs and CISOs still can’t control shadow IT. They will be looking for ways to better monitor and control this.
- 20% of organizations are challenged with keeping up with the rapid pace of change via DevOps automation, which makes it difficult to maintain security control. Technology vendors crow about DevSecOps to bridge this gap but DevSecOps processes and skills are in their genesis stage. RSA will be filled with hype and a bit of wisdom around these burgeoning requirements.
- Sensitive data has moved to the cloud and more is coming soon. This growing trend makes identity and data security new security perimeters, so CISOs are looking for new types of access controls, rights management solutions, key management, and monitoring tools. This is especially true with GDPR just around the corner.
- Security professionals are struggling with vulnerability management in cloud-based workloads. They need help with risk management, automation, and best practices.
- Cloud computing is becoming increasingly heterogeneous quickly. Large organizations have a mix of things like OpenStack, VMware, AWS, Azure, GCP, containers, and serverless apps in various stages of maturity. CISOs need help establishing strong and consistent security policies, controls, and oversight over the whole enchilada.
Cloud computing is still new, but it is being adopted quickly and rapidly changing. Not surprisingly then, cloud security is currently managed in a siloed way. The ESG research shows that 70% of organizations use different security tools for on-premises data centers and public clouds today. This makes sense as the cloud was considered somewhat of an overlay compute/network environment in the past, so organizations purchased specialized niche tools for security, but the research also points to a major change within the next few years – 70% of organizations plan on implementing a single integrated security tool set providing command-and-control over all environments. This means that security professionals will be looking for cloud security technology architectures capable of handling hybrid cloud security, integrating with DevOps tools, and scaling to meet enterprise needs.
We’ve talked about cloud security for years at RSA, but these discussions were limited to areas like CASB, micro-segmentation, and identity management. Okay, but cloud computing is now the straw that stirs the enterprise IT drink. I’m interested to see how security professionals and the industry at large deal with this massive and critical change next week in San Francisco.