Most organizations are operating in multiple cloud properties in addition to their own on-premises private cloud. For the past three years we've asked about the challenges and frustrations professionals in every role within IT experience while operating in this mode.
Every year the top answer is the same: consistency.
This is no surprise. Organizations are still largely working as siloed teams, and the introduction of public cloud hasn't changed that. In fact, it's largely expanded the number of siloes as cloud-focused teams are often necessary to properly adapt to the unique dashboards, consoles, and ways of operating each individual public cloud.
This reality makes it harder to secure applications for which organizations—not cloud providers—are responsible. The challenges arise in part from the use of heterogenous security services that may or may not provide the parity of policies required to sufficiently secure an application according to company expectations. The capabilities of one security service may not be the same of another. If there is functionality you depend on to protect an application and it is available in one cloud but not the other, you can't achieve consistent security.
So it was no surprise that a report from Sophos on the State of Cloud Security 2020 found greater numbers of security incidents amongst those organizations operating in multiple cloud properties:
"Multi-cloud organizations reported more security incidents in the last 12 months. Seventy-three percent of the organizations surveyed were using two or more public cloud providers and reported more security incidents as those using a single platform."
The report further clarified the source of those incidents, finding that security gaps caused by misconfiguration were exploited in 66% of attacks, further falling into three categories:
- 33% Cloud account credentials stolen
- 22% Cloud resource misconfiguration
- 44% Misconfigured web application firewall
Misconfiguration can be the result of many things. Typos are common. Misinterpreting terminology or misunderstanding the policy model can be another.
To reduce typos and other human-introduced errors, automation often comes into play. But it doesn't help with the latter, where differences in policy models and languages can be a source of confusion that leads to misconfigurations.
The best answer today to solving the issue of misconfiguration is standardization. Choosing a standard set of security services that operate in every environment you need them to operate in will go a long way toward eliminating misconfigurations. By focusing on a single set of security services, skills gained are retained across cloud properties. Expertise is built on experience, and by focusing on a narrower set of policy languages and models, organizations can more confidently approach securing applications in any environment.
Standardization also acts as a force multiplier for automation by enabling the reuse of code, scripts, and templates that provision, deploy, and manage security services across multiple clouds. The automation artifacts become hardened and optimized by use and reuse, which inspires greater confidence in the use of cloud.
Cloud is here to stay, as is the reality of multiple clouds per organization. But that doesn't mean we need to accept the reality of increasing security incidents. By deliberately approaching security services with an eye toward standardization and attention toward internal organizational structures that may be impeding collaboration, organizations can take positive steps toward improving security, expanding automation, and optimizing the skills and expertise of their most valuable assets—their people.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...