{"id":98564,"date":"2019-05-09T13:00:05","date_gmt":"2019-05-09T20:00:05","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=98564"},"modified":"2019-05-22T15:20:54","modified_gmt":"2019-05-22T22:20:54","slug":"cloud-set-it-and-forget-it-not-for-cloud-security","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2019\/05\/cloud-set-it-and-forget-it-not-for-cloud-security\/","title":{"rendered":"Set It and Forget It? Not for Cloud Security"},"content":{"rendered":"

The public cloud market is scorching most every other segment of the IT industry. According to a report from research firm Forrester, the public cloud market will double from its current size to reach $236 billion by the year 2020<\/a>.<\/strong> But that doesn\u2019t mean there aren\u2019t big problems when it comes to cloud adoption \u2013 especially with respect to security and regulatory compliance concerns.<\/p>\n

According to the 2018 Cloud Security Report<\/a>, while adoption for public cloud computing continues to surge, security concerns are showing no signs of abating as 91% of<\/strong> organizations today are concerned about cloud security.<\/strong> These security concerns are led by protecting against data loss and leakage (67 %), threats to data privacy (61 %), and breaches of confidentiality (53 %) \u2013 all up compared to the previous year.<\/p>\n

\"\"There is also the other extreme: those who view the public cloud as inherently secure - like some form of Ronco rotisserie oven, whereby the security mindset and approach is \u201cset it and forget it\u201d.<\/p>\n

Well, neither of these views is accurate. Cloud security is neither an oxymoron, nor a security panacea. That said, there are distinct differences and challenges, which follow:<\/p>\n

 <\/p>\n

The abstracted nature of cloud computing <\/strong><\/p>\n

This abstraction and lack of visibility is an important challenge, especially for those who are new to cloud security and don\u2019t necessarily understand the responsibility breakdown, that is to say, where their security responsibility ends and where the responsibility of the cloud platform\/service provider begins (or vice versa). Moving to the cloud requires a shift in mindset. Leave the data center concepts behind and accept the loss of natural visibility. (Remember, though, there are tools<\/a> like RedLock available to provide the required level of visibility to secure your business\u2019 multi-cloud adoption.)<\/p>\n

 <\/p>\n

Compliance in cloud vs. on-premises<\/strong><\/p>\n

There\u2019s a big difference between what policy and regulatory compliance looks like in public cloud systems versus what it looks like in cloud software services and the data center. The cloud is dynamic, which makes traditional change control and configuration management efforts deployed on premises extremely difficult. Add the fact that none of the compliance standards like PCI, HIPAA, GDPR and others were written for cloud environments. This means that someone must physically do the hard work of translating abstract requirements to specific technical controls for each cloud service. Considering the thousands of features that CSPs add each year, the amount of time and resources required to keep this up to date is exponential.<\/p>\n

The Center for Internet Security is helping to map<\/a> security controls and compliance requirements back to whichever services are running in cloud. However, it\u2019s critically important that organizations implement tools or processes to provide details and context around what's compliant and what's not when it comes to regulatory compliance and security compliance controls.<\/p>\n

 <\/p>\n

Managing data to its classification<\/strong><\/p>\n

There are many who contend that critical data shouldn\u2019t be put in the cloud. Regardless of one\u2019s feelings on the subject, critical data is likely going to end up in the cloud (if it\u2019s not already there). In many of the surveys I see, about half of respondents are putting critical or sensitive data (to their enterprise) in cloud systems. In fact, many enterprises are using cloud service providers to hold financial and health-related data. There are serious questions about how to manage this data in the cloud, as well as how to manage SaaS and other cloud providers who deal with sensitive data.<\/p>\n

The reality is that it\u2019s become fiscally attractive for organizations to use the cloud to store large volumes of unstructured data for backup, machine learning, data lakes, etc. But, most times, it is impossible for enterprises to know which types of data are stored in these environments, making data classification extremely important. It's one thing to expose a data set containing nonpublic information, say a marketing website\u2019s content hosted on an S3 bucket, for example.\u00a0 A business can bounce back relatively unscathed. It\u2019s quite another to expose a bucket containing names and account numbers for all your customers. The negative backlash can be too much to overcome.<\/p>\n

 <\/p>\n

The continuous nature of cloud<\/strong><\/p>\n

The cloud is always on. And unlike the controlled, scheduled and top-down regimented days gone by, cloud updates are born from continuously delivered software pipelines in organizations where there is a considerable push for agility and continuous updates.\u00a0 This requires DevOps teams to build tools and services that support faster deployment, as well as more rapidly gather system data and feedback so that they can rapidly iterate and improve.<\/p>\n

This drive toward continuous computing and continuous software enhancements should play well for security. When it\u2019s approached correctly, enterprises can gather continuous data about the state of their cloud security posture and the types of security controls and compliance rules in place; plus, identity and encryption policies can be viewed in real-time to track how the entirety of their security strategy is working in the cloud. And for many of the challenges I listed above, continuous real-time monitoring is an absolute necessity. \u00a0If you\u2019d like, you can give continuous monitoring a try in your cloud environment. Stop by our Marketplace<\/a>.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

In public clouds like AWS, Azure and GCP you need to ensure that security is continuous to match the dynamic nature of the cloud. There is no \u201cset it and forget it\u201d mode. <\/p>\n","protected":false},"author":631,"featured_media":99000,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768],"tags":[6775,876,6597],"coauthors":[6733],"class_list":["post-98564","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","tag-continuous-monitoring","tag-public-cloud","tag-redlock"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/05\/Set-it-and-forget-it_unsplash-440x280.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/631"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=98564"}],"version-history":[{"count":6,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98564\/revisions"}],"predecessor-version":[{"id":98583,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98564\/revisions\/98583"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/99000"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=98564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=98564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=98564"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=98564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}