The need for speed and agility in today’s always-on, always-connected digital business has led IT teams to transform the traditional on-premises infrastructure to cloud-native architectures. The rise of DevOps and the use of Platform as a Service (PaaS) & Infrastructure as a Service (IaaS) have been foundational to this change and are now the norm. But where security traditionally fell on dedicated teams, it now often falls on the developers themselves, and as a result, when speed and agility increase, so does the risk of introducing security issues.
What are the biggest cloud security challenges?
Infrastructure as a service
Initially, IaaS security appears to have the least change from your on-premises environment. After all, the cloud is just your application running on someone else’s computer But Cloud Security Providers (CSPs) supply you with that computer, along with an entirely new and unfamiliar management and control plane, a new identity and access paradigms, and new forms of storage. The first generation of cloud-related breaches stemmed from organizations not understanding this new paradigm and placing confidential information in cloud storage while leaving access open to the internet. This never happened to them in the enterprise, where their network firewalls and segmentation provided a backstop to this type of misconfiguration. What changed? There is no way to physically surround all your assets in the cloud with a network and place firewalls at the edge of that network. Infrastructure as a service Initially, IaaS security appears to have the least change from your on-premises environment. After all, the cloud is just your application running on someone else’s computer. The crux of the issue is simple: CSPs provide incredibly complex ecosystems that are constantly in flux as new features are added.
Platform as a service
The security implications of adopting PaaS are not well-understood by many organizations. The services in question range from simple (e.g. storage) to complex (e.g. analytics stacks). And each of these services has its own security nuances. There is a broader challenge with all services delivered via PaaS: Security teams generally have no pre-existing models of how to secure a service embedded in an application without surrounding it with a secure network. There is no way to apply that model to PaaSdelivered services. Also, note that the goal of CSPs is different from that of their customers. In rolling out new services, CSPs who develop those services are judged by the adoption of the service.
Software as a service With SaaS, there are no illusions that everything is the same, as the only thing you have access to is accounts and identities. However, SaaS has been broadly adopted as organizations realize that it allows them to introduce new applications literally overnight and without having to worry about software upgrades, backups, and other mundane support tasks. These SaaS applications can be accessed from anywhere and elements of endpoint detection and response (EDR) on the device that accesses them if you are lucky, and maybe a cloud access security broker (CASB) are expected to recreate the safety of old. Furthermore, SaaS applications have become incredibly complex. And keep in mind this is just part of a much bigger job for IT organizations tasked with provisioning and de-provisioning access and overseeing security issues for applications.