For any IT professional — or for that matter, business professional — the shift to cloud architectures has brought with it a new array of challenges and threats. These, in turn, require a new approach to security integrated into more modern delivery models to ensure that the cloud delivers the intended value without generating unacceptable risks.
And while it’s common to think of such risks as strictly external (such as hackers, criminal organizations, or malware), internal dangers are far more daunting and common.
According to Gartner, an incredible 99% of cloud security failures in the near future will arise from misconfiguration or mismanagement through human error by the customer themselves. And of these failures, three in four will fall under the heading of identity management. That is, the logical access rights and privileges meant to secure access to services and data simply will not be effective and, if not addressed, could lead to a breach.
Creating, managing, and securing resources and identities within a growing feature-rich cloud platform is increasingly complicated. Given cloud-hosted services that execute entirely outside the company’s own IT infrastructure, conventional notions of defending its logical perimeter simply don’t apply. Traditional approaches to IT security, and the solutions deployed to support them, really no longer suffice.
Organizations adopting a multi-cloud account organizational hierarchy or even a multi-vendor cloud-agnostic strategy further exacerbates this problem. Securing resources within a single provider where controls are complementary to its ecosystem is complex enough; however, managing them across distributed heterogeneous multi-vendor services could feel impossible without the proper tooling and safeguards.
The reality is that cloud workload security is a shared responsibility between the cloud vendor and cloud customer. Cloud providers must ensure a rich framework of feature-rich functional and security-related services. In return, customers must wield the tools as intended with expert understanding and consistency.
Among other relevant questions a cloud customer must ask include:
• Is the cloud architecture adequately configured and secured following proven best practices? Do we have the in-house expertise to understand those best practices and specific means of implementation across completely different clouds like Amazon Web Services, Microsoft Azure, and Google Cloud?
• How are user identities established, modified over time, and verified to provide only the necessary levels of privileged access in any case— and no more? As employees enter and leave the organization or change roles, all their access privileges, spanning all cloud services, must change in lockstep. Systems and applications must also be authenticated and validated in any network transaction involving the cloud. And as the organization grows, taking on a more significant headcount and a broader array of cloud capabilities, the real challenge of identity management will only grow in proportion.
• How quickly, comprehensively, and accurately can you identify valuable or sensitive data within the cloud — and how swiftly and effectively remediate problems? This data challenge is carried forward from the on-premise world. However, the near-infinite scale available to cloud customers makes the blast impact potentially far more consequential given growing data lakes and the readiness of derived data intelligence that may come from it when machine learning is applied.
Not all data is created equal. Like all business assets, protect data in proportion to its business value and priority. But a manual assessment and categorization of data sensitivity can be a slow and potentially inaccurate process, prone to inadvertent human error and the many unfortunate consequences that such error can yield. When combined with the vast volumes of daily data, it becomes a mountain impossible to scale.
Organizations taking full advantage of clouds today are looking to fortify the security of cloud workloads automatically, such as via:
• Automated configuration and compliance assurance. If sufficiently advanced and intelligent, tools can evaluate a given cloud’s security configuration on their own, looking for situations in which a configuration violates abstract best practices (such as NIST) and then guiding the team through a fix. This approach heightens visibility and reduces to a bare minimum the chance of human error and, importantly, the time to correct misconfiguration and, in doing so, reduce the likelihood of a threat.
• Automated privileged identity governance. Innovative workload posture tools can automatically detect (1) unused accounts that represent a potential future breach, (2) situations in which accounts have more access rights than job roles demand, and (3) excessive account utilization that might suggest a breach is underway. Collectively, these capabilities significantly help organizations struggling to enforce the rule of least privilege.
• Automated data assessment and protection. If data is sensitive, unexpectedly exposed, or both, workload posture tools should recognize that problem and bringing it to the attention of the cloud customer’s IT team. Advanced tools should even take the next logical step by suggesting a means of remediation and integrating with the cloud architecture to execute that remediation.
Zscaler Workload Posture empowers cloud customers with exactly these capabilities and many more. No matter which services or data organizations deploy into a public cloud, and no matter which cloud they choose, they can, via intelligent automation, bolster workload security with the smallest amount of effort and in the least amount of time.
What to read next