iscover
PJ KirnerShare this article on:
Powered by
MOMENTUM
MEDIA
PJ Kirner from Illumio explains how organisations can minimise risks associated with dependence on the cloud.
Cloud is booming. It wasn’t a small industry pre-pandemic, and we’re finding now that it can get much bigger. The move to remote work has made thousands of organisations begin transitioning more of their operations to services like Amazon Web Services, Microsoft Azure and Google Cloud Platform.
According to Gartner, we should expect to see 70 per cent of all enterprise workloads be deployed in cloud infrastructure by 2023, up from just 40 per cent a year ago. This shows two things – first, moving to the cloud is proving cost-effective, and second, management sees moving more of their important assets to the cloud as an acceptable risk.
For security teams, this trend gives us a lot to do – despite its rising popularity, there's a lot of risk associated with working in the cloud. One of the biggest security challenges is getting a complete understanding of both the communications currently happening in your network and what could happen. This often becomes even more complicated when you consider what is happening between your cloud and on-premises environments too.
There is a lot of complexity that we bundle under the term “cloud” that we must unpack to properly identify the challenge. In PaaS and IaaS systems, for example, you are the one running applications or automation on top of a public cloud managed service.
Understanding the interdependencies among and between all components is critical to both successful and secure operations. Add private cloud and on-prem components to the mix, and suddenly, living in a hybrid world becomes increasingly challenging, fraught with risk and vulnerability.
That’s why security teams need to properly configure and understand the vulnerabilities in each environment and how these environments connect. It’s often the space between cloud environments that are tough to understand and hold serious risks – and we can’t secure what we can’t see.
The transition to cloud has led to another complicating factor for security teams: industry trends such as “shift-left” (in which security checks and operations occur earlier in the application development lifecycle), mean that cyber security, which was once the sole responsibility of the security team, is now a team sport.
This is not in and of itself a bad thing – in fact, a lot of good can come from this approach. However, if an organisation is shifting left in a hybrid environment, with on-premises infrastructure connected to public clouds, it’s going to be even more difficult for security teams to understand the risks and know if these are truly secure.
As we continue our migration to the cloud and organisations shift left, the number of people involved in keeping an organisation secure will only multiply. To combat the complexity, automation will need to play a large role in ensuring these people are collaborating efficiently to keep organisations secure and to allow those organisations to scale more quickly.
But it’s wrong to think of automation as a quick-fix – automation requires us to start from a position of knowledge; security teams must understand what communications are necessary for their business and how their assets connect with each other. From there, you can start building zero trust policies using cloud native security controls that you can implement automatically.
The danger is clear – moving more core services to cloud environments is a growing pathway of attack for cyber criminals, with multi-cloud environments creating even greater security complexities.
As clouds get bigger, cyber security teams must have visibility and control over these to account for this increasing vulnerability and attack surface. The organisation that understands their entire infrastructure, including their clouds, will be the one that can enact the right proactive security controls to shrink the attack surface and avert disaster before it happens.
PJ Kirner is the chief technology officer and co-founder of Illumio.
Be the first to hear the latest developments in the cyber industry.
