The Current State of Securing Cloud Workloads and Tackling Cloud Complexity
Learn more about the current state of cloud security.
Join the DZone community and get the full member experience.Join For Free
As we’re stepping into 2019, now is a good time to look back at 2018 and reflect on the world of cloud security. A recent survey of ours, in partnership with Informa Engage, asked over 300 DevOps and security professionals about their role in their organization, their plans for the coming year, and how secure they felt about their organization’s existing cloud architecture. The results revealed that as more organizations embrace new, distributed architectures, they lack the tools and specialization to keep up with the pace of security threats. Specifically, as more and more companies adopt hybrid- and multi-cloud approaches, relying on Kubernetes and service mesh as the supporting infrastructure, the complexity these distributed architectures creates has the potential to slow critical business functions in the absence of an integrated security approach.
Reviewing the breakdown of survey results gives us a glimpse into where the developer, security, and operations teams will focus their efforts in the coming months, where the gaps in security currently lie, and the state of cloud computing as a whole.
Hybrid Cloud and Distributed Workloads Are Now the Norm
Currently, there is a move towards a more complex infrastructure with the survey reposting that hybrid- and multi-cloud approaches now make up more than three-quarters of all configurations (77 percent). The report also revealed that within these complex cloud infrastructures, workload complexity is also increasing. While virtual machines (VMs) remain the most common cloud computing environment (83 percent), containers (37 percent), serverless (28 percent), and service mesh (21 percent) are gaining traction.
Distributed Cloud Environments Mean New Roles and More Tools for DevSecOps
New, distributed cloud-native architectures and workloads, such as serverless and service mesh, are creating more complexity and therefore some confusion amongst cloud providers and DevSecOps teams about who owns the security and how it is addressed throughout the organization. According to the report, fewer than half of organizations (45 percent) now have a dedicated security team responsible for the cloud.
Across the board, we continue to see that organizations are assigning security responsibility to a number of different teams, with no clear direction on where DevOps teams fit into the security mix.
This uncertainty among ownership creates gaps in security, which are often patched by DevOps teams integrating more and more point solutions that mitigate these security risks. More tools that can address evolving security risks are great, but also increase the current complexity of cloud environments. According to the report, over two-thirds (75 percent) of organizations expect to increase the number of tools in use over the next twelve months — with no one expecting to retire any tools currently in use. Also, one-third of organizations reported they are already using more than five tools for cloud security. Each of these existing and new tools needs to be monitored and managed, and adding more means that DevOps teams are stretched thin.
Unification and Automation Seem to Solve Part of the Problem
In addition to added complexity, one thing causing even more issues for DevSecOps teams is that more than half (60 percent) of organizations still rely on manual configurations of security policies for their apps. Simultaneously, almost all organizations (90 percent) rely on multiple individuals to configure and set policy rules. The rapid increase of cloud security tools and lack of staff to manage those tools can leave organizations vulnerable.
Manual implementation of security policies that can sometimes require more than 3 or more team members. The sheer number of people needed, compounded with the number of policies that have to be configured, can slow down business velocity. This makes an argument for the industry to adopt unified tools that solve more than traditional point-solutions, utilizing the benefits of automation to offload some of the manual procedures burdening organizations DevSecOps teams. It also speaks to the need for uniform and practical management of security policies to control disparate and cloud-native services, infrastructure, and environments. Without intelligent policy automation, organizations are left with decentralized configurations and a number of Dev, Sec and Ops team members stretched thin across capabilities.
A Consolidated Approach to Security
Looking forward, modern organizations will likely benefit from a consolidated security approach that will support business velocity and tackle the challenges associated with the overhead of multiple tools in use. Additionally, modern teams can’t assume that emerging technologies like serverless are secure, and need practical and uniform enforcement and management of security policies to control disparate and cloud-native services, infrastructure, and environments.
Opinions expressed by DZone contributors are their own.