The new normal needs new cloud security

A new cloud security study from Netwrix states that 54 percent of enterprises that use cloud for data storage reported security incidents in 2020. I assume these were all minor ones, seeing that few reached the news cycle, as major problems are prone to do. 

My guess is that most enterprises only disclose about 10 percent of the cloud security problems they encounter. Perhaps it’s comparable to the “alternative truths” many people tell their doctors about how many drinks, sweets, carbs, fats, drugs, or cigarettes they consume. It’s not like we want to brag about our shortcomings. Often it’s only when our bad habits endanger some part of our body or life that we come completely clean to our physician. That’s not a scientific comparison, but I believe the frequency of enterprise cloud security problems is fairly analogous. We admit to problems only when necessary.

Perhaps that’s why the Netwrix study also showed an alarming response that two-thirds of enterprises plan to remove sensitive data from the public cloud providers they use. At a time when cloud computing may have reached its peak importance, we should all sit up and take notice that so many organizations are pulling sensitive data, especially when that number was less than half the year before. This disturbing trend points toward a shift in enterprise focus away from the business continuity systems that were designed for the traditional use of public clouds, systems that actually helped smooth the sudden shift from working on site to working from home. 

What’s happening?

I think many enterprises have finally had a moment to take stock of the past year and have begun to fret about the unexpected cloud security challenges they encountered or that they continue to face. Today’s widely distributed, Zoom-using workforces often leverage the cloud in ways we couldn’t imagine a year ago. The increase in security incidents is a likely byproduct of these more ingenious, unplanned uses that almost assuredly tested enterprise cloud security models in ways the models were never designed to address.

Cloud security budgets did not increase when the pandemic hit and workers scattered. This drove an unforeseen reliance on public clouds, such as AWS and Microsoft. The cloud computing attack vectors have tripled for most enterprises, such as potential attacks on home networks where a VPN is useless as a defense. This is the new normal. 

Misconfigured security for cloud resources became commonplace in 2020, and the shared responsibility model is still not well understood. The toughest problem is the lack of skilled cloud management and security talent, and an IT staff that rarely has a good fundamental grasp of what’s in their cloud in the first place. Outside the IT department is a distributed workforce that could become the rule now rather than the exception. To address these new realities, we need to rethink cloud computing security from the ground up. 

First, have security managers oversee remote workers by using distributed credentialing and identity management, and monitor the home networks and home clients. Also, supply adequate funding so cloud security leaders can obtain the security technology they need and the talent to make it successful. 

Second, cloud providers have to step up, too. They need to toss out the old assumptions about how their clouds will be used and their resulting purpose-built security approaches. We need more innovative security to address the new needs of enterprises. 

2020 was a year of exclamation points. Many enterprises leaped ahead years or even a decade into their future plans for cloud computing. Some might never have made the leap if not for the pandemic. We dealt with the fallout as best we could, and most of us were pleasantly surprised at how well the cloud came through when we needed it. Business continuity systems that were built for the cloud kept many enterprises afloat through the crisis. 

That’s why it would be a mistake for the majority of enterprises to contract their data footprint in the cloud or fall back to an internal or on-site IT paradigm. Now that we all have a better idea of what the new normal looks like, it’s time to go back and dot the i’s and cross the t’s. Make IT whole again, and bulletproof the new cloud systems against security failures and vulnerabilities. It’s pretty important stuff. Let’s get to work.