The first question most cloud security architects ask when tasked with designing a cloud security solution is: What cloud are you using? Then they typically select a set of technologies, such as IAM (identity and access management) and encryption, that are native to that specific cloud brand.
This may have been a sound approach just a few years ago, but today we live in a multicloud world where security needs to remove complexity as well as risk. Here are three cloud security secrets the public cloud providers won’t tell you:
Cloud-native security solutions offered by the big providers are not helpful if you have a heterogeneous multicloud solution. The security technology may work great for a specific cloud provider’s own product, but there is either no support or limited support for other public clouds—and most of us are using multicloud.
You have two choices. If you leverage whatever system is native to each public cloud, you’ll have to manage two or more security systems. Or you can find a common security solution, such as a security manager, that can deal with the different security issues for each cloud provider and abstract you from the complexity, which is likely to be a risk unto itself. The latter is the option I choose and is what works best for most enterprises.
Security can hinder performance and cost way more money each month if not engineered into the applications and data stores correctly. Cloud providers benefit from selling compute and storage services, and if your security solutions eat up more CPU cycles than they should then it’s time to re-engineer those solutions and how the applications use them.
I’ve seen security and application tuning efforts reduce monthly costs by 80 percent, and at the same time increase performance of those applications four-fold.
Training counts more than technology. I’ve investigated a lot of breaches during the past few years. For many, it’s not a lack of security tools and technology, it’s a lack of understanding how to use them correctly.
Money spent on training actually reduces risk by a factor of 1000. For each dollar you spend on training, you remove $1,000 of risk (cost of risk) for the implementation. What’s more, this is not around cloud-native security training as offered by the cloud providers, this is for common security architectures and solutions that span all public clouds and on-premises systems.
The theme is to think independently and question why things are currently done this way. Cloud security will only improve in a culture that challenges the status quo.