Cloud security and IT security in general often overlook complexity. Itโs not taught in security courses, and most experts donโt consider it in risk analytics.
Itโs a fact that most enterprises put security teams and tools in a silo. It drives me nuts when I see these bad habits carried over to cloud computing security. I covered this topic three years ago, and for the most part, itโs unchanged.
Many of todayโs security breaches are due to human error. A study by Ponemon and IBM indicates that misconfigured cloud servers causeย 19% of data breaches. The cost? A half-million dollars per breach. The cause? Most of the time, too many moving parts for security teams to keep secure. They lose track, things are misconfigured, and the breach occurs. Simple.
Complexity is not new; itโs been creeping up on us for years. More recently, multicloud and other complicated, heterogenous platform deployments have accelerated overly complex deployments. At the same time, security budgets, approaches, and tools have remained static. As complexity rises, the risk of breach accelerates at approximately the same rate.
Most IT shops donโt consider complexity a significant metric to track when researching cybersecurity or cloud security. Itโs often neglected because most security is a siloed set of processes. The architecture teams look at security as a black box where stuff is tossed over a wall and somehow magically becomes secure.
Weโve needed to integrate security with development, architecture, and operations for a long time. Some organizations practice devsecops (development, security, and operations) and integrate these concepts, bringing everyoneโs expertise to bear on all problems.
In an ideal world, security is never somebody elseโs problem because the lines of demarcation between development, architecture, security, and operations do not exist. Everyone works together across all development, design, and deployment aspects. Security is systemic to everything, which is the correct way to view it.
When security is everywhere, it also becomes a factor when defining core cloud and non-cloud architectures, including the amount of complexity introduced and how to effectively manage it. This includes addressing increased security risks through security operations. Many approaches, concepts, and technologies can be used to manage and lower risk while simultaneously increasing the value delivered to the business.
As we enter 2023, itโs a bit disconcerting that we still live with security risks due to rising complexity or siloed approaches. The culture in many enterprises perpetuates our inability to manage things. Too many in IT still say, โYou stay in your corner of IT while Iโll stay in mine.โ
This is no way to do cloud computing or cloud security and expect to succeed. Letโs look in the mirror and see what we can improve as we go into the new year.
