The Security Challenge of Cloud Sprawl

This is a summary of a byline article appearing on Cloud Tech on March 13, 2019.

The transition to cloud has been rapid and unprecedented. According to a report by IDG, barely half (53%) of business today is run on traditional networks, and IDG further predicts that this will drop to less than a third (31%) within the next year or so.

Of course, not even the cloud is immune to digital transformation and consolidation. The biggest indicator of this is the consolidation of the IaaS market, which is by far the largest segment of the cloud marketplace. Forrester has forecast that the six largest public cloud providers (Alibaba, AWS, Azure, Google, IBM, and Oracle) will continue to expand their presence in 2019, pushing many of the smaller providers out of the space, with Goldman-Sachs predicting that the big six cloud providers will control 84% of the market within the next year.

Other cloud markets, like storage and SaaS are also growing rapidly. Nearly every organization on the planet participates in one or more of these, whether they know it or not. Gartner studies, for example, have found that Shadow IT now comprises 30 to 40 percent of IT spending in large enterprises, with the average enterprise using a staggering 1,935 different cloud services, with fewer than 50 of them known to IT. And according to IBM, of the more than 20,000 cloud services in use today, only 8.1 percent meet the strict data security and privacy requirements of enterprises, while Gartner predicts that by 2020 a third of successful attacks experienced by enterprises will be on their Shadow IT resources.

The security challenge of cloud sprawl

“For many organizations, the lure of the freedom and flexibility of the cloud has caused them to adopt and deploy solutions before they have put a comprehensive security strategy in place. In fact, the majority of cloud-based spending in organizations bypasses the CIO, as lines of business are increasingly making decisions for implementing some form of cloud solution within an organization.” - Lior Cohen, Cloud Tech, 13 March 2019

And while, according to IDG, 42% of organizations now have a multi-cloud deployment in place, most organizations do not have any sort of unified system in place for monitoring, managing, or securing their legitimate cloud applications and infrastructures, let alone those that have been adopted by users without IT’s knowledge.

At the same time, failing to address the security challenges of such dramatic cloud sprawl puts your organization at serious risk. Getting out in front of this challenge requires security teams to develop a two-pronged campaign that focuses on human intervention and the adoption of new technologies.

Human intervention

Security leaders need to begin by educating corporate executives, line of business leaders, and users on the risks associated with unsupervised cloud adoption. At the same time, IT teams cannot afford to be seen as restricting business. Your job is to educate users on the range of solutions that meet their needs and that can also be easily integrated into your existing IT security strategy.

Technical strategy

Organizations also need to put technical strategy in place to control the cloud sprawl security issues:

• Integrate security tools: Security tools need to work as a single, integrated system that spans the entire network—including cloud elements that you may not know about.
• Leverage native cloud controls: Security solutions that use native cloud controls to manage and secure cloud resources ensure the fastest and most effective results.
• Span security across clouds: Cloud connectors designed specifically for each cloud environment enable quick and easy deployment of security solutions while ensuring consistent visibility and control across a multi-cloud deployment.
• Implement intent-based segmentation: Intent-based segmentation translates business language into security protocols to isolate resources as they traverse the distributed network, including across and between multi-cloud environments.
• Establish strong access controls: Analyze, process, secure, and monitor every device, application, transaction, or workflow looking to interact with cloud infrastructures and applications.
• Deploy CASB: Cloud access security brokers (CASB) provide visibility, compliance, data security, and threat protection for any cloud-based service being used by an organization—even Shadow IT.

Without comprehensive security policies and solutions in place, cloud adoption can introduce more risk and overhead than most IT teams can absorb. Security leadership teams need to combat this tendency by combining integrated security with a corporate climate committed to proactively protecting cloud-based resources.

This is a summary of an article entitled, “Addressing cloud sprawl: Combining security best practices with business foundations” that first appearing on Cloud Tech on March 13, 2019. 

Read more about how Fortinet secures multi-cloud environments with our Security Fabric.