After more than a decade of varying levels of irrational exuberance in terms of deploying application workloads in the cloud, there is now a greater appreciation for cloud security. In fact, a survey of 350 IT leaders from large enterprises with more than 5,000 employees finds well over half (59 percent) believe that moving to the cloud has made their enterprises less secure.
Conducted by CloudBolt Software, a provider of an IT automation platform, well over three quarters (79 percent) also questioned whether their companies are applying consistent levels of cloud security policy enforcement. More than two-thirds (68 percent) said their organizations security skill sets across all clouds was only “somewhat mature.”
Nearly three quarters of respondents (72 percent) also admitted their organizations moved either to the cloud or multi-cloud environments without properly understanding the skills, maturity curve, and complexities of security. Just over half (56 percent) also noted there is a lack of multi-cloud and cloud security expertise and resources, while 48 percent cited operational complexity and multi-cloud support as key concerns.
Overall, three quarters of respondents (75 percent) described cloud computing as the single greatest expansion of the enterprise attack surface in the last 20 years.
Highly operationalized cloud security practices can prevent mistakes
At the heart of all this cloud insecurity is the way cloud infrastructure is provisioned. Developers with little to no cybersecurity expertise typically provision cloud resources and then deploy applications with little to no cybersecurity expertise. That makes it all, but certain mistakes will be made.
In contrast, most deployments of applications in an on-premises IT environment are handled by a centralized team that typically reviews settings for misconfigurations. Many organizations that deploy applications in the cloud have not yet been able to define and maintain a similar set of best practices. The truth is many developers in the rush to meet application deployment deadlines have tended to skip or at least minimize the amount of time that should be devoted to ensuring cloud security.
As a result, the survey finds only 8 percent of respondents say they have implemented highly operationalized cloud security practices when spinning up new compute resources and environments, and only 6 percent said their companies automatically build security into every workload up front and orchestrate processes across every cloud so that developers don’t have to worry about it. Even less (3 percent) said their organization consistently leverages “immutable infrastructure” as a security measure through which cloud resources are automatically destroyed and rebuilt every set number of days.
MSPs can bridge the gap between developers and cybersecurity teams
Clearly, heading into 2023 there has never been a greater need or better opportunity for managed service providers (MSPs) to help organizations fix what are fundamentally flawed processes for building, deploying, and securing cloud applications.
The challenge MSPs will have, of course, is finding a way to insert themselves into the divide that currently exists between developers and whoever happens to be overseeing cybersecurity. Developers tend to jealously guard their privileges so many with resist the introduction of any change that is perceived to slow down the rate at which applications can be built and deployed.
Any MSP that wants to manage cloud security effectively will need to spend some time reassuring developers that everything being done is not being imposed from the top down but rather constructed from the bottom up with lots of opportunity for each developer to have personal input. Inevitably, there will be tradeoffs, but the key is always getting as much of the development team as possible to buy into them before they are made.
Photo: Kjpargeter / Shutterstock
