The rapid adoption of cloud and SaaS services has transformed the digital business and fundamentally reshaped the challenge of defending the enterprise against advanced attacks.
Driven initially by the need to cut costs and increase efficiency, the transition to the cloud now serves as an essential conduit for digital transformation projects – from applying advanced analytics to big data sets, to supporting edge computing and devices that underlie everything from smart cities to connected cars. Yet from a security perspective, these new computing models are expanding the attack surface at an alarming rate, introducing new threat vectors across an increasingly dispersed corporate network.
This trend presents a special challenge for strained security teams, who must now cope with an environment where they have limited visibility and control, and where their familiar on-premise security tools are often not applicable. Additionally, the ease with which developers can spin up a cloud instance and bypass the IT or security team can expose the business to considerable risk, demanding a new DevSecOps approach which may be unfamiliar to teams who have grown up on the traditional on-premise network model.
More generally, the security challenges presented by the cloud are largely governed by a Shared Responsibility Model, which delineates the respective areas of the cloud that providers and customers are expected to manage and secure. While the customer’s portion of the Shared Responsibility Model varies across IaaS and SaaS, the general thrust of the Model plainly illustrates that outsourcing certain IT processes to the cloud does not amount to outsourcing your security function altogether.
Most organizations recognize this reality but few, if any, are satisfied with the cloud-specific security solutions available on the market, nor can they immediately pivot their teams to a DevSecOps approach as an alternative. While many IaaS and SaaS providers offer native security controls to help customers secure their own portion of the Shared Responsibility Model, these controls are often limited in scope and tend to be useful for compliance, rather than proactive and real-time cyber defense. Even within this limited scope, native security controls can only be effective if they have been adequately deployed by the cloud customer.