Cloud Security: A Mismatch for Existing Security Processes, Technology -

To use a long-forgotten metaphor, cloud deployment is moving forward at Internet speed at many enterprise organizations. According to ESG research, 57% of enterprise organizations use public and private cloud infrastructure to support product applications/workloads today, and an overwhelming majority of organizations will move an increasing number of applications/workloads to cloud infrastructure over the next 24 months.

Now no one would argue the fact that cloud computing represents a different compute model, but it is really based upon the use of server virtualization for the most part. And since a VM is meant to emulate a physical server, many organizations approach cloud security by pointing traditional security processes and technologies at cloud-based workloads. This behavior is illustrated in a recent ESG research survey, in which cybersecurity and IT professionals were asked if their organizations used existing security technologies and processes for security workloads residing in cloud infrastructure (i.e. public and private). A vast majority (92%) said they did so, “extensively or somewhat.”

Same Security, Different Platform?

Certainly cybersecurity professionals want to leverage existing investments and lean on well-established best practices as much as possible. So what’s the problem? Unfortunately, existing technologies and processes don’t always work when pointed at cloud-based workloads. In fact, 32% of enterprise cybersecurity and IT professionals admit that they’ve had to abandon many traditional security policies or technologies because they couldn’t be used effectively for cloud security, while another 42% have abandoned some traditional security policies or technologies because they couldn’t be used effectively for cloud security.

ESG also asked survey respondents to identify the least effective traditional security tools for addressing cloud security requirements. The replies were as follows:

46% of respondents claim that data security technologies (i.e. encryption, DLP, etc.) are the least effective traditional tools for addressing cloud security requirements. This is a really big deal when sensitive data moves to the cloud.

46% of respondents claim that host-based security technologies (i.e. AV, file integrity monitoring, HIDS/HIPS, etc.) are the least effective traditional security tools for addressing cloud security requirements. Yup, host-based tools assume they have captive permanent resources to use which is antithetical to the cloud.

44% of respondents claim that network security technologies (i.e. firewalls, IDS/IPS, gateways, etc.) are the least effective traditional tools for addressing cloud security requirements. This is especially troublesome since network security really dominates overall IT security at most enterprises.

42% of respondents claim that web application firewalls (WAFs) are the least effective traditional tools for addressing cloud security requirements. Another technical incongruity, no wonder why Amazon now offers WAF as a service.

Cloud-Native Security: Required

Of course, no organization wants to throw the cybersecurity baby out with the cloud bath water but force-fitting security tools designed to protect physical assets won’t work either. Yes, CISOs should use tried-and-true best practices whenever possible, but the ESG data indicates that they’ll need to embrace cloud-native security technologies and processes to do so.

This won’t be easy, but there is really no alternative. As the ESG data clearly indicates, securing new cloud infrastructure with old processes and controls is simply a recipe for failure.

Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service. Read more ESG blogs here.