Cloud migration is in full swing at most enterprises, fueled by the desire for a more flexible and accessible computing model as well as on-going digital transformation. Yet security practices are dangerously out of step with the shift to the cloud paradigm, organizations are clearly struggling to stay abreast of the evolving attack surface while experiencing elevated risk of exposure to new exploits.
According to Symantec’s inaugural 2019 Cloud Security Threat Report (CSTR), over half (53%) of computing workloads have shifted over to the cloud, and respondents estimate that their organizations’ use of cloud applications will grow by 22% over the next year.
With cloud adoption continuing at a fevered pitch, enterprises are having difficulty dealing with the mounting complexity of multi-cloud and hybrid cloud and on-premises environments. They are also grappling with loss of control, especially as it relates to security: The Symantec CSTR found that 54% of respondents say their organization’s cloud security maturity is simply not able to keep up with the rapid expansion of new cloud apps.
Specifically, lack of visibility over cloud workloads is a huge problem for the majority of organizations (93%) and nearly as many respondents (83%) report negative impacts due to an incomplete view of their cloud landscape. Even worse—nearly two-thirds (65%) of CSTR respondents feel that the increasing complexity of their organization’s cloud infrastructure is opening them up to a host of new threats, including lateral movements and cross-cloud attacks.
The Symantec CSTR found that 54% of respondents say their organization’s cloud security maturity is simply not able to keep up with the rapid expansion of new cloud apps.
The Perimeter is Dead
At the root of the problem is organizations’ continued reliance on the traditional, perimeter-based security model. This “castle-and-moat-style” approach employs firewalls and other technologies to authenticate and determine trust at the edges of the network; once users and devices are deemed trustworthy, they are given insider access. Yet the rise of the cloud and ubiquitous mobility lays to rest the concept of “inside” and “outside” the network and showcases the reality that threats exist everywhere, thus the requirement for a new security paradigm.
It used to be that everything inside the corporate network was considered good and should merit trust while everything that was outside on the Internet was all bad and should be distrusted. Of course, that’s no longer the case. Consider a device that picks up malware on the outside and then is allowed back on to the corporate network because it’s a trusted entity, setting off a lateral movement attack that spreads throughout the enterprise. The fact is that perimeter-based security has become a liability because it’s mushy on the inside and threats are taking advantage of that.
Instead of a dated perimeter approach to security, organizations should embrace a modern architecture built around the Zero-Trust access model to accommodate an increasingly mobile- and cloud-centric world. With Zero Trust, there is no longer a perimeter to safeguard, but rather a world in which threats come from every direction thus requiring granular protections at the data level as well as controls implemented across all points of access, including end points, cloud workloads, and corporate networks.
In a Zero Trust security architecture, users are granted least-privileged access to resources, that is the minimum they need to be productive. Assets that are not pertinent to their job function are invisible, and behavior is assessed to identify unusual behavior and respond to risks.
In addition to an integrated security platform that spans the full host of capabilities from web and email gateways to data loss prevention and cloud application security, enterprises also need to take advantage of artificial intelligence (AI) and machine learning capabilities. This allows them to automate whenever possible and assists in enforcing policies that maintain compliance across web, cloud, and email traffic.
At the same time, organizations need to bolster their security postures through embrace of other cloud security best practices, including the formation of a Cloud Center of Excellence (CCoE) and by embracing a shared responsibility model.
Cloud complexity has most security organizations scrambling to keep up, but it doesn’t have to be that way. By shifting to a Zero-Trust model supported through an integrated security platform, organizations can reap the benefit of the cloud without risking significant exposure.