It’s 5:00 a.m. sometime in 2018. The phone rings. It’s the cloudops team reporting a potential breach where gigabytes of customer data may have been compromised.
You spend the next year toughening up cloud security, allocating four times what you spent in the previous year. The board of directors is happy to fund the additional tools and people. As we say: “You can’t have too much security.”
But what if you can have too much security? When do you need to hit the accelerator, and when are you going too fast already? It’s a matter of where you exist on the cloud security spectrum.
All enterprises are different. Each company stores and manages different types of data sets. They have different applications and processes in place. The ones in specific industries, such as healthcare and finance, have compliance restrictions that can be a nightmare.
The notion is simple. Everyone has different security needs, and differences in data they are protecting. Thus, they should be on different parts of the security spectrum.
For instance, in my earlier example, if the breached company were a tire manufacturer, spending four times the previous year’s security budget may be overspending, or not aligning with where it sits on the spectrum—just being reactionary.
Yes, I’m making sweeping generalizations. Most tire manufacturers don’t deal with personally identifiable information the way that healthcare organizations do. Nor do they have to keep up with stringent auditable logging, as is required by most banks.
Moreover, the data is probably fairly innocuous considering that the database information is about customers that are just a bunch of tire retailers—data that could be easily found on the website. Also, they don’t pay with credit cards, so none of that information is stored.
The essence of cloud security is that there are no one-size-fits-all solutions. Cloud security architects need to work from the requirements to the solutions, not the other way around. I’m also asserting that those picking cloud security approaches and technology need to understand where they exist on the cloud security spectrum. Else, they'll spend too much money, or more likely not enough.