Complexity is the enemy of cloud security

It’s a fact that most enterprises put security teams and tools in a silo. It drives me nuts when I see these bad habits carried over to cloud computing security. I covered this topic three years ago, and for the most part, it’s unchanged.

Many of today’s security breaches are due to human error. A study by Ponemon and IBM indicates that misconfigured cloud servers cause 19% of data breaches. The cost? A half-million dollars per breach. The cause? Most of the time, too many moving parts for security teams to keep secure. They lose track, things are misconfigured, and the breach occurs. Simple.

Complexity is not new; it’s been creeping up on us for years. More recently, multicloud and other complicated, heterogenous platform deployments have accelerated overly complex deployments. At the same time, security budgets, approaches, and tools have remained static. As complexity rises, the risk of breach accelerates at approximately the same rate.

Most IT shops don’t consider complexity a significant metric to track when researching cybersecurity or cloud security. It’s often neglected because most security is a siloed set of processes. The architecture teams look at security as a black box where stuff is tossed over a wall and somehow magically becomes secure.

We’ve needed to integrate security with development, architecture, and operations for a long time. Some organizations practice devsecops (development, security, and operations) and integrate these concepts, bringing everyone’s expertise to bear on all problems.

In an ideal world, security is never somebody else’s problem because the lines of demarcation between development, architecture, security, and operations do not exist. Everyone works together across all development, design, and deployment aspects. Security is systemic to everything, which is the correct way to view it.

When security is everywhere, it also becomes a factor when defining core cloud and non-cloud architectures, including the amount of complexity introduced and how to effectively manage it. This includes addressing increased security risks through security operations. Many approaches, concepts, and technologies can be used to manage and lower risk while simultaneously increasing the value delivered to the business.

As we enter 2023, it’s a bit disconcerting that we still live with security risks due to rising complexity or siloed approaches. The culture in many enterprises perpetuates our inability to manage things. Too many in IT still say, “You stay in your corner of IT while I’ll stay in mine.”

This is no way to do cloud computing or cloud security and expect to succeed. Let’s look in the mirror and see what we can improve as we go into the new year.