I found some interesting statistics in that illustrate the severity of the cloud security problem:
- Only 7 percent of businesses have good visibility of all critical data, and 58 percent say they only have slight visibility. ()
- Vulnerabilities: 24 percent of organizations have hosts missing high-severity patches in the public cloud. (RedLock)
- More than three-fourths of security breaches (80%) involve privileged credentials. ()
- Almost half (49 percent) of databases are not encrypted. (RedLock)
It’s pretty depressing, considering that we have technology to solve each of these problems. What’s happening?
Enterprises are either not willing to use the right technology, or they don’t understand that the technology exists. It’s not that the database is unencrypted, it’s that nobody has any idea how to turn on encryption in flight or at rest.
Also at fault are the “it was not on-premises” folks out there. They cling to the fact that since some security feature was not a part of the original on-premises system, it shouldn’t be needed in the cloud.
The time to deal with security issues is when you move from on-premises to the public cloud. You need to spend at least a couple of weeks looking at identity access management, encryption, auditing, proactive security, and more, and then evaluating its viability to your enterprise. Otherwise, you could miss the cloud security boat as you make the migration.
In my opinion, this is the single most important step in migration. It allows you to reflect on what your security needs really are and how to solve them using cloud computing technology which, these days, is better than anything you can find on-premises.
This is also a good time to upgrade your personnel skills. Although some existing security admins can be retrained in cloud-based security, others can’t. Now is the time to drop the hammer on what’s needed, either by retraining or replacement. They’re tough decisions, but the alternative is more unpleasant.
It’s not an excessive amount of work to assure optimal cloud computing security. I understand this is a new world for most of us, but it’s worth the time to do things right up front.