COVER STORY: Multiple cloud models make security more complex

By on

Worldwide end-user spending on public cloud services will hit $494.7 billion by the end of the year and then grow to nearly $600 billion by the end of 2023.

Those figures from industry analysts Gartner demonstrate the rude health of the sector, but even this only tells part of the story.

Investment in private cloud infrastructure is also maintaining a healthy clip, with Grandview Research estimating the private cloud servers will grow from $60B at the start of the decade to $205B by the middle of the decade.

Indeed, by 2025, according to Gartner half of all the enterprise IT spending that can migrate to the cloud, will have done so.

And of course, that transition and the new operating method need to be done securely.

Within the total cloud universe, the cloud security market is growing in scale and profitability, it was valued at US$29.3 billion in 2021 and is forecast to hit US$106.2 billion by 2029. 

Cloud security brings more flexibility than many on-premise solutions.

Naren Gangavarapu, chief information and digital officer at Northern Beaches Council said with everything going online and information being available everywhere, it is difficult to sustain the cost as companies can't move with business and customers’ demands quickly.

The traditional on-prem approach to computing is not very agile, he said, "Whereas in the cloud, we find that we can spin up new sites within a matter of seconds aligned to the business outcomes."

Those organisations that are deciding whether or not to adopt cloud security, must have a certain level of business maturity according to Gangavarapu.

He said they have to understand the business behind the organisation. Bigger organisations have access to a lot of resources and have a better cash flow than their small business counterparts.

“What they tend to do is to look at what's the security classification of various applications, and whether it's legacy whether is modern, what's the strategy? Is it fit for purpose? Or is it future-proof? Is it scalable? Is it portable? Is it maintainable?

“You have to apply a lot of nonfunctional requirements. We call them the ‘ilities’, it is portability, scalability, security and privacy, and then assess whether that application is fit for purpose, and does it align with the corporate plan or the future vision of the organisation? If it doesn't, that's when you shift to whether you opt for a cloud solution,” he said.

Multi-cloud issues

When organisations implement multiple clouds, it can create some issues within the business especially when employees are accessing different types of clouds.

Rick McElroy, principal cybersecurity strategist at VMware Carbon Black told Digital Nation that typically organisations have about five different hosted cloud applications built inside of AWS or Google Cloud.

“Then you have other things that you access as a company that lives on someone else's server, you have to protect the thing that's accessing the cloud, you have to protect that cloud and then, of course, any interconnections amongst clouds to do data transfers, backups,” he explained.

“But the real issue in a multi-cloud model is the consistency of controls. As you can imagine, how I deploy into AWS is different from how I deploy into Azure. The controls that Azure gives me are a different set of controls than what I have in AWS. Now I have [to have] two teams or at least one person trained in each.”

To get a consistent set of controls across the multiple cloud environment is really tough, McElroy said.

“Then to gain the actual context, so the visibility of the network, the endpoints, the data, the applications, everything you would need to do to unmask the attacker doing what they're doing in real-time becomes significantly harder,” he explained.

McElroy highlights the issue of varying contracts.

“The things that AWS has contracted to do security-wise is different than Microsoft. You have to factor in the contracts themselves, who has responsibility, and how long do they take to give you data? If you need data, how long do they collect the data for all of these things,” he said.

“The thing I'm working the most on with our customers is around that challenge. How do I consistently detect and respond when I know I'm in all of these different environments?”

He said there is a company-wide approach to getting these processes right and adding compliance on top of that.

“Some people, their clouds are better for compliance, some are arguably better for security. You could probably plus or minus 20 percent on each other to make that decision, but that's the reality,” he added.

AI and automation

AI and automation processes are becoming more ubiquitous throughout cloud security.

Fahad Ehsan, senior analyst – security and risk at Forrester said, “If we talk about the cloud, being the enabler of automation and AI, the cloud has eased the way in how people can deploy and consume technology.

“With that, a lot of opportunities have opened up, we have seen people utilising things like Python deployments, and Python is one of the ways you can experiment with AI. Again, there are other languages as well.

“But there are many templates which you can use, especially with the combination of technologies like Kubernetes, which helps you deploy this infrastructure fast at scale and do these massive calculations which are required for artificial intelligence,” he explained.

Gangavarapu at Northern Beaches Council said organisations will use AI and automation in the future to detect bad actors and work within threat detection.

“Later on, they will also be more prominent in the response by acting on some of these actors and blocking things or stopping things. In order to do that, you've got to train them quite a bit.

“Right now, there's a lot of supervised machine learning models and the focus is shifting more towards unsupervised machine learning models where you use deep learning techniques and neural networks. This is where artificial intelligence will start learning a lot of that as to how to respond to a lot of these things self-taught based on training models, and then evolve and respond,” he said.

State of the job market

While cloud security and cybersecurity in general are gaining traction, the current skills crisis is one of the biggest impediments to this uptake.

According to Luke Barker, head of cybersecurity ANZ at telco BT, any role in security at the moment, in terms of getting the right people is very hard and that is across the technical and non-technical roles.

“Even more so, someone who is a cloud certified security architect, ticking all the boxes from a cyber and cloud point of view is very much high in demand. We're also seeing a trend a little bit away from cloud, [for] organisations that run big operational networks,” he explained.

Demand for cloud security jobs has spiked in demand over the past few years, Gangavarapu said as more businesses migrate online there is a sudden spike in demand.  

“There's a lot of people who are getting in by getting themselves aware of the basics of security."

But the real domain specialisation involves both operational security and strategic security, he said. "You will struggle to find a lot of people at operational security who keep your day-to-day operations secure."

When it comes to people who are experts at understanding cloud-based security that narrows the talent pool down even further, according to Gangavarapu.

“There's even a severe shortage of people who understand what are the security controls that they have to look at when you have a cloud provider because it becomes shared space. Then the skill comes in as to how good you are at negotiating the contract, and the service level agreements with your cloud provider,” he said.

“It's a combination of the cloud security specialists, and the window manager who helps you negotiate who's good at understanding how the cloud works. And the commercials of the contract management work with the cloud service providers to come up with a good scalable and maintainable contract that gives you a good return on investment.” 

According to BT's Barker, organisations need to be having a conversation about the embedding of security right from the start of their cloud transition, taking a security-by-design approach.

© Digital Nation
Tags:

Most Read Articles