A few weeks ago, TechRepublic posted an article about “how to beef up your multi-cloud security.” A Valtix study found that IT leaders believe “employees lack the necessary skills to manage multi-cloud security.” 95% of survey respondents said they’re prioritizing multi-cloud in 2022. However, only 54% said they feel confident that they have the tools and skills necessary to achieve this goal. More than 75% believe that multi-cloud operations are underfunded at their company. 67% of the IT leaders feel their own “employees lack the necessary skills to manage multi-cloud security.” Only slightly more than half of respondents are confident that network or host-based security is in place across all their public cloud accounts.
We asked our Chief Architect and Executive Security Director, Lonnie Buchanan, to share his thoughts and insights.
Are the statistics from the findings of Valtix’s study surprising to you?
It is a little higher, though not much higher than I would have expected. This is the result of many companies embracing all things cloud with little to no governance or control of how it is used. Many organizations are now dealing with the backlash of embracing the cloud without proper planning and control. There are many variations between cloud vendors. Designing systems that can span those differences can be complex and difficult. Teams that are not experienced, have limited support or lack proper training can quickly find themselves in trouble.
How can employees level up their skills in multi-cloud security to make IT leaders sleep better at night?
There are several things that IT leaders can do to sleep better at night:
First, they need to implement good, proven governance and standards policies. Then they need to diligently enforce those policies.
Next, training is vital. Many of the major information security training firms have been preparing for the last few years by adding or enhancing their portfolio of instruction materials. Leaders need to guarantee that their teams are properly educated and kept abreast of relative security measures.
Finally, security personnel needs to stay engaged with both cloud vendors and industry experts to understand where the market is moving. However, none of these will prove effective without buy-in and active support from organizational leaders.
What tools should be utilized to correctly prioritize multi-cloud security?
The tool landscape is racing to figure this out. For example, unifying the security management overhead conversely affects the operational complexity. Many believe we will see an increase in third-party virtual appliances and centralized Identity and Access Management solutions but that is probably just the tip of the iceberg. Cloud Management Platforms, Hardware-based security, trusted execution environments, and multi-cloud key management services are being actively tested at this time. This is also a good place where technologies and practices that have already been proven like, Chaos engineering and AI, can step in and help out.
What does a fully funded multi-cloud security program look like? What are the advantages? Challenges?
The first thing to realize is that security must be central to multi-cloud approaches. There are no excuses and no alternatives. Multi-cloud without security as the priority is a multi-cloud that is ripe for malicious activities.
The second thing to understand is that no one vendor has the complete answer. One of the most exciting characteristics of cloud development is the rate at which it can change. This also creates one of the most daunting obstacles. New features and options released by one vendor can quickly break an existing solution. Clouds that are tied together can cause exponential failures if changes are not correctly taken into account. Security vendors will need to learn to adapt rapidly to meet demand, but still in a way that allows them to understand the changes.
The third is better understanding across the enterprise. Adding security or third-party tools can create new hurdles and, in some cases, even negate certain cloud-based advantages. Governance and security must be taken seriously and observed across the entire business. Too many times organizations “look the other way” or fail to follow through with security plans. Failure to comprehend the risks is still a major issue at many companies. Partners, customers, and regulatory bodies will not accept excuses for not creating proper security postures.