Steve Zurier | scmagazine.com »
IBM on Friday reported that some 70% of IT pros surveyed say their teams lack the skills needed to sufficiently manage cloud environments.
And while more than half are concerned about security, 53% said ensuring compliance in the cloud has become too difficult.
Another 71% of respondents also say it’s now difficult to realize the full potential of a digital transformation without having a solid hybrid cloud strategy in place.
“As we see regulatory requirements grow across the globe, compliance is top of mind for business leaders,” said Howard Boville, who heads up the IBM Cloud Platform “This concern is even greater for those in highly regulated industries. Yet, at the same time, they face a growing threat landscape — one that demands holistic management of their multi-cloud environments to avoid the risks of a Frankencloud — an environment that’s so disconnected, it’s difficult to navigate and nearly impossible to secure, particularly against third- and fourth-party risks.”
Claude Mandy, chief evangelist of data security at Symmetry Systems, said IBM’s research points to a common challenge for businesses adopting a hybrid cloud approach: the complexity of operating in hybrid and multi-cloud environments. Mandy said this complexity gets introduced by nuances and differences between each cloud — especially their security settings and features.
“The continuous release of new (and sometimes unique) security features and nuanced configuration settings from each cloud service provider further complicates an organization’s ability to drive consistent security across hybrid clouds and thereby comply with increasingly data centric regulatory and compliance requirements,” Mandy said. “It’s already difficult for organizations without experience, skills, purpose-built tools, and seat belts to protect the organization to undergo a digital transformation to the cloud. Doing this in hybrid and multi-cloud environments can exponentially increase the complexity and difficulty and need for skills that are in high demand.
Davis McCarthy, principal security researcher at Valtix, said because cloud security combines networking, software, business operations and people in new ways, organizations face unknown risks. McCarthy said workload security has become complex, especially when multi-cloud environments support different aspects of a business and need to adhere to different standards. McCarthy said security teams often lose visibility into incidents, while the auditors struggle to know if they meet the baseline for compliance.
“And the shortage of cybersecurity professionals is related to the global adoption of technology,” McCarthy said. “Whether it was for business or personal use — all of those IoT devices, databases, electronics in cars, and cell phones needed security, but we didn’t build security in from the start. Now, we’re playing cleanup, with few custodians. Rapid enterprise migration to the cloud and their embrace of SaaS compounds the problem as we’ve jumped ahead before our collective cleanup was done. As technologies become more powerful and complex, and their security risk greater, we need cross-domain knowledge to support cybersecurity and the cloud–like networking, software development, and data analysis.”
Sanjay Raja, vice president of product marketing and solutions at Gurucul, added that the limitations to securing and achieving compliance for hybrid cloud environments are directly attributable to two factors:
First, Raja said the majority of vendors that have on-premises solutions and claim to support cloud environments have simply “lifted and shifted” existing technology rather than architect their software to work optimally in cloud environments. Unfortunately, we need to rebuild existing software completely as 100% cloud-native versus attempting to retrofit a solution to work in the cloud. Raja said too many vendors take the latter approach to falsely claim “cloud or hybrid-cloud support.”
“What results is the second issue, which is poor cloud visibility that means security and compliance teams do not achieve the same or as in-depth monitoring, detection and response playbooks as on-premise solutions are capable of,” Raja said. “Worse, vendor claims of having cloud analytics are mostly false. Very few have a strong suite of threat detection models and analytics to properly identify a cloud-obfuscated attack campaign and simply do basic event correlation, while claiming this as analytics. Organizations need to ask hard questions about true cloud-native solutions that support hybrid environments and the depth of cloud security analytics even if they truly want to achieve security and compliance in support of digital transformation business goals.”
Security teams lack the skills to manage cloud environments