I’ve written about cloud security many times, including this post from 2021. The report I referenced found that misconfigured cloud servers caused 19% of data breaches.
Corroborative data is available from public cloud providers that fight this daily. Microsoft analyzed the anonymized data of real cyberthreat activity and, according to the company’s Cyber Signals report, found that more than 80% of ransomware attacks can be traced to common configuration errors in software and devices. For those of you who don’t understand technical jargon, this means human mistakes explode security risk levels.
The answer to enterprise security problems is still the worst-kept secret ever: Remove humans from the process. When done right, security automation will eliminate most of the ongoing risk that an attack will be successful.
Automation is the natural evolution of security. However, many enterprises still operate in a reactive state: “We’re being attacked! Somebody do something!” More and more enterprises are moving to a proactive state: A team reads emails in the morning to determine how many attacks occurred and how the security systems prevented the breach attempts by using automated services such as artificial intelligence, security orchestration, cross-cloud security management, and so forth.
The common objective is to have a layer of automation that can proactively avoid any misconfigurations as well as provide ongoing security operations. Any attacks, be they ransomware or distributed denial of service, are defeated by automation alone—not by somebody getting a text at 3:00 a.m. and running to their laptop.
Automated security is better. So why do so many enterprises still have mostly manual security systems that have proved their risk factors for cloud and non-cloud systems over and over?
In my experience, it’s both a lack of understanding and a lack of funding. Many enterprises spend millions on quick lift-and-shift migrations to the cloud. For the most part, they also lift and shift the same security tools and talent from the enterprise data center.
Lack of understanding is really the largest problem. Most security professionals understand their as-is state in terms of sound security processes and the security technology stack. However, they fail to convince their leadership that upgrading the security configuration from mostly manual to mostly automated is worth the many millions of dollars it will cost to do it right. Something needs to catch on fire before anyone with influence over budgets will change course. Obviously, that is also a failure of leadership.
An analogy would be the rush to cloud during the pandemic. Many in the enterprise beyond IT soon understood the vulnerabilities of maintaining onsite hardware and software during a natural disaster. Spending quickly shifted to the cloud, but few in or out of IT initially understood the full implications of lift-and-shift strategies. As a result, many enterprises had to “touch the stove” to learn that hard lesson. It appears cloud security will be no different. Hopefully, those learning experiences will not take the business down in the process.
This leads to funding. How do you determine if something is a priority for an enterprise? If there is little or no increase in funding, it’s not a priority. Of course, lack of understanding leads to lack of funding because there is no urgency to move to completely automated solutions. That is, until something happens to change priorities, as I mentioned.
It’s a dysfunctional dance if you ask me. Why can’t we justify locking a door until someone tries to break in, even when we know multiple wolves are at the door with specific plans to break in?
Yes, the lock is expensive. But how expensive is it to deal with theft and bad PR? Customers and shareholders will not care how much an enterprise saved on security automation and skills when customer data goes up for sale on the dark web, or a local hospital’s critical systems are held hostage by ransomware, or a company’s stock price tanks overnight because of a breach.
The press might focus on the public cloud provider’s security, but that red herring won’t last long. Public cloud provider security is not a problem at this point; cloud security surpassed on-premises systems a long time ago.
It’s time to do the right things with the right tools and make cloud security a much higher priority than it is now. Lock the door.