The cloud landscape has drastically transformed all aspects of business—from technology and business models, to the accelerated ability of organizations to deliver software faster and at scale. Despite all the positive changes, however, many companies are hesitant to fully embrace the cloud due to security and/or compliance concerns.
These concerns are valid. While an #ArmorLive Twitter poll of 673 respondents reported that 52% of organizations struggle most with governance and compliance, misconfigurations within the cloud have left customers’ data and applications exposed and vulnerable and resulted in several high-profile breaches. Unfortunately, users, not cloud service providers (CSPs), have often misconfigured their own environments and left their data and applications inadvertently exposed. Between 2017 and 2019 alone, 13 separate misconfiguration incidents resulted in the exposure of more than 920 million records. (For details, see our recent Naked Data whitepaper.)
These breaches and ongoing customer concerns regarding security and compliance have motivated CSPs, such as Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP), to step up their security game and introduce new products and tools to help alleviate the risks. In addition, they’ve moved security from an internal line of business—responsible for securing the infrastructure of the cloud—to an external business unit, with the intent of enhancing customers’ trust in cloud security and, thereby, gaining market share.
Cybersecurity, CSPs & You
AWS, Azure, and GCP have unique sets of characteristics that translate into advantages or disadvantages that make them the right fit for different organizations (we will dive into these differences in future blogs). When it comes to cloud security, however, the differences between the three are not substantial.
That’s why—no matter which CSP you decide is best for your environment—it’s important that you as the client understand your role in the Shared Responsibility model and subscribe to it. AWS, Azure and GCP all have their own versions of several security tools to help you with your half of the shared responsibility model—i.e., protecting your data that resides in their cloud infrastructure. That’s great. But in a world plagued with DevOps, cybersecurity talent shortages, alert and tool fatigue, and increasing cybersecurity threats, simply turning on these tools isn’t enough to achieve security. It’s up to developers to decide how to use those security tools appropriately and operationalize security within your environment.
“Operationalization” is a process that goes far beyond simply installing the tools. It involves configuring and tuning them (establishing baselines, custom rules and policy development, etc.), integrating those tools with your environment and with each other, monitoring alerts generated by those tools, correlating the alerts with one another to determine whether they should be escalated into an incident, and developing the orchestration and automation needed to respond quickly and effectively to identified threats.
DevOps versus DevSecOps
Cloud developers typically have a “builder” mindset when it comes to ensuring cloud security. They create tools that fit in with their own DevOps processes and can be deployed within a continuous integration/continuous deployment (CI/CD) pipeline.
Security, however, has traditionally been approached as a “gating” procedure that’s launched at the end of the development process. As a result, it often delays on-schedule deployment, or requires application , which prevents applications from scaling appropriately in the cloud—all of which can negatively impact the satisfaction of customer needs as well as the user experience.
Alternatively, when security is integrated as part of the DevOps process, versus gating after the fact, it can enable the incorporation of security-as-code in the same way development teams implement infrastructure-as-code. This Holy Grail is called .
Security in Your Cloud Environment
To determine which CSP and tools are best for your environment, it’s important to understand the full scope of your security and compliance needs. You need to understand what controls are necessary based on your risk profile, what compliance regulations are mandated, and the layers-and-landscape of your cloud environment: the applications in place, your network, and your host layers.
Most organizations choose to implement a tool that puts appropriate security controls in place at levels of the cloud environment to ensure adequate security. Simply installing them isn’t enough, though. Any tools implemented need to be aligned with each other as well, across the layer spectrum.
This is where vendors like Armor step in. Not only does Armor partner with today’s major cloud providers, we provide unified security-in-depth, with visibility and control at every level of the cloud environment, across multiple platforms.
As we move forward in this series, we’ll look at each of the three major players in the CSP space and explain how you can determine which one will integrate best with your environment to meet your security and compliance needs.