Do you have good cloud security? If you said yes, I bet it’s just around a small group of applications that were built during a short sprint. The group quickly picked and installed a cloud security solution that worked well for those applications and data stores, or that they considered best of breed. Now add other sprints, other workloads and data stores, along with best-of-breed security solutions, all seemingly effective. Repeat 20 to 50 more times.
We’re building security silos without realizing it. Siloed security is not inherently bad, but when it exists in the context of other silos and other security solutions owned by a single enterprise, its value falls away quickly, and the risk of a breach goes much higher.
This happens because all the security solutions leverage different approaches and technology, most of which don’t share common information. Identities, policies, and compliance routines have to be recreated silo to silo. Thus redundant information is managed within each silo.
A good analogy for this would be having 20 different card reader systems in your building that share no common information. In order to get to your desk in the morning, you would have to pull out 20 different RFID cards to move from one side of the building to the other. You’ll need only five to get coffee.
Some enterprises are good at creating and operating common security layers for cloud-based systems, but most are not, mainly due to small, decoupled development teams that don’t coordinate on security solutions, including common directory services for intracloud and intercloud security integration.
Many believe that having a best-of-breed security solution for each workload or small groups of workloads is a best practice. However, they ignore the fact that this approach is likely to generate many different security solutions, and the lack of integration actually creates vulnerabilities.
The vulnerabilities exist in the complexity of managing all these siloed security systems, and the risk that those who do secops for your enterprise will likely miss something, considering the number of moving parts to track. Moreover, users will tire quickly of dealing with different security models and mechanisms. The password sticky notes on the monitors send the clear message that it’s too complex for them as well, and the result is a higher risk of a breach.
Cloud security integration, both intracloud and intercloud, is not easy. You must come up with common services that most can agree upon. You must use these common services in consistent ways across applications and data stores. Nevertheless, this is a problem we need to plan on solving now, before we get too many more workloads into the public clouds.