Security: The foundation for transformation success
Edarat Group
Cloud Service Provider, Data Center Engineering Consulting, DCaaS, Colocation, Edge Computing, Bare Metal
LESSONS FOR LEADERS
Organizations can create extensive and impactful cloud transformation models, but they won't succeed until they lock down one critical element: security.
Think about it. A boat builder can install the most advanced motors, navigation systems, and onboard computers available, but the vessel won't get far if the hull springs a leak. The same goes for today's enterprises. They're building up resources for DevOps, collecting and analyzing data at the edge, and rebalancing applications across platforms. But what happens if this edge-to-cloud environment isn't secure? The transformation takes on water.
Where things stand
Unfortunately, many enterprises are struggling with this critical task. Based on our engagements with customers, we've evaluated enterprise progress in capability in the eight domains making up the HPE Edge to Cloud Adoption Framework.
Security is one of the domain areas organizations are prioritizing, and progress is being made. In fact, security is one of the areas that we see the greatest overall maturity in capability across our engagements, with an average maturity of 2.2 on a scale of 1 to 5, where a score of 3 indicates a cloud-ready organization (see Figure below).
While a successful transformation requires contributions from many diverse components, we find that enterprises that successfully implement a cloud operating model across the organization differ from those challenged in three primary areas of security:
Security controls: Leave the legacy processes behind
With security controls, enterprises are running into problems because they're not adapting to their new environments. While the controls themselves don't change, how they're implemented likely will. They're attempting to use traditional on-premises tools and approaches in a hybrid, cloud-native estate. This doesn't work, and companies that don't appreciate the architectural difference will take more time on their overall transformations and have to spend more money.
Take endpoint protection: antivirus, anti-malware, and post-intrusion detection. Traditional platforms that deploy antivirus capabilities as part of the machine build process check in on a periodic basis, typically daily, weekly, or biweekly. In cloud-native environments, when hosts spin up and down in minutes, traditional tools won't even be aware of the threat landscape that changes on a more frequent basis. This same frequency issue often appears with configuration management databases, which are often a foundation for understanding current system inventory and thus key to understanding the threat landscape. This lack of environmental awareness caused by using traditional tools in a hybrid environment is a hallmark of laggards in our engagements.
领英推荐
From a security perspective, the marketplace is providing more tools that make it easier for organizations to manage security in hybrid environments. Ensuring that tooling for configuration management, logging and monitoring, encryption, and threat and vulnerability management supports a hybrid context is an important way for organizations to generate quick wins.
Where we've seen organizations excel in this area, they've adopted hybrid tools that support both traditional and cloud-native environments. They have also adapted their standard operating procedures to leverage the benefits these tools bring across their entire IT ecosystem. Take a cloud-native approach and pull it into your traditional environment to more quickly and more broadly modernize your security capabilities.
For example, a financial services organization had deployed a container image scanning tool at the end of a development pipeline for its cloud environment. Taking a shift-left approach, the organization moved the tool to the beginning of its pipeline across all environments. Doing so drove greater adoption of container image standards across both cloud and traditional environments, accelerated deployment velocity, and enhanced the traditional environment's security posture. The key value driver was simply a change in the operating model.
Governance: Have your security and operations teams adapted to your new operating model?
A common issue among organizations struggling to make progress shifting their security capabilities toward a cloud model is in the skills and approach of their security and operations teams.
In a cloud operating model, the same control requirements, control frameworks, and regulatory requirements still exist. But how they're implemented is different. Cloud uses ephemeral resources, different networking constructs, and different concepts of the edge of a network—and that requires different skills to manage the infrastructure.
If a security team understands only classic data center, three-tiered architecture, it's going to struggle in a hybrid environment. It would be like putting a basketball player on a football field; they're playing different games. It's essential to offer security staff upskilling opportunities to help them understand the differences in approach and how to adapt classic security controls accordingly. “The cybersecurity field has struggled with a talent gap for years,” Ford says. “Now, the cloud environment is widening that gap. It’s essential to train the team you have for your changing environment.”
Organizations that don't upskill their SOC to ensure they have people who understand cloud-native architectures will entirely miss threats; they simply won't know what to look for. If an organization creates accounts and access rights using IaC, for example, the information sits in a repository that developers have access to as part of a pipeline or process. There's no longer a fortress of security; security elements change regularly using IaC.
The attack vectors to look for have also changed dramatically. Organizations no longer worry about a secure network of devices. That's a classic security approach: to make a really tough perimeter. Now, they have to think about a network of secure devices. Every device has to become secure. That's a different, zero trust-oriented architectural mindset that has to be understood.
The discipline of security is still going to be the same. Organizations still need security experts. Rather than assign cloud experts more responsibility over security, it's better to upskill the security team to understand the hybrid architecture.
Moving forward: Addressing cultural factors and risk objectives
Why are organizations slow to adopt new practices to upgrade their security infrastructures? Usually, it boils down to culture and objectives. It's not unusual to see a wall between a security organization and the rest of the IT organization. That creates a natural tension, inhibiting communication and collaboration. Moreover, a lot of security organizations are resistant to change, even though the need to transform is often most acute in security organizations.
On the objectives side, companies may not be balancing their business objectives with their risk objectives. Leaders need to encourage a holistic assessment of objectives for revenue, business development, and risk so that they can find the right balance of approach to help the business move fast and securely. “Business intelligence is just as important as threat intelligence when it comes to maturing your risk management program,” Ford says.
Where we see organizations progress in security for cloud operating models, they've taken measured steps to address cultural and goal alignment issues. The organizations are ultimately more effective at putting in place the people, process, and tool changes necessary to deliver modern security across their entire estate.