Organizations are going through a digital journey to exploit the digital systems to create new services, get closer to their customers and to improve efficiency. This process has been accelerated by the COVID pandemic where survival depended upon being able to change. This has led to a fragmented IT environment using multiple cloud services as well as on premises and edge. The challenge is now how to manage the complexity this has created.
There are now many solutions on the market with acronyms like CSPM, CNAPP, CIEM, CWPP. What are these solutions, and do they really help?
Digital Transformation has exploited cloud services because of the flexibility they provide. When organizations depended upon physical IT resources, as well as having a high capital cost, it could take months to get hold of equipment and then it would quickly become obsolete. Virtual IT resources through cloud services provide a flexible solution. DevOps can use these to meet business needs in a way that is agile and flexible to feedback. You only pay for what you use and if the project is successful, you can easily upscale to meet demand.
However, this has led to real and tangible challenges. According to the Cloud Migration Stats - 2022 Flexera State of the Cloud Report the top challenges from today’s multi-cloud hybrid IT are:
· Security with 85% of organizations reporting this is an inhibitor
· Risk and Compliance – with 76% of organizations reporting this as a challenge
· Managing Cloud Cost – with 81% reporting this as a challenge
And worse than that this survey shows that year on year these challenges are growing not decreasing.
These are challenges of governance. Business-critical applications now depend upon multiple services from multiple providers. Service levels must be set by business needs - but mapping multiple SLAs across clouds is difficult. Furthermore, each cloud service provides their own different management capabilities and security tools. This imposes an extra management burden for each cloud service. It also leads to ad hoc governance of today’s multi-cloud hybrid IT.
Not only that but the virtual resources are ephemeral – created just as they are needed and destroyed as soon as they are not. However, the risks are not transient, and a cyber threat needs only microseconds to create damage.
Organizations need the tools and capabilities to monitor and manage this complex multi cloud IT environment in a consistent way. These include
· An inventory of service components (physical, virtual and software)
· Protection for data – classification, encryption, and backup
· Vulnerability Management
· Network security controls
· Identity governance
· Management as well as monitoring
The major cloud services all provide tools to secure and manage their own environment. These are mostly different to the ones used by organizations for their on-premises IT. Organizations mostly don’t have enough people with skills in all the tools for all the environments and so are turning to managed cloud services.
In addition to differences between clouds there are also differences between environments. Managing IaaS starts with managing virtual machines, networks, and storage. Then DevOps is mainly based on microservices and containers, and this adds another layer to be managed and secured. This introduces more management tools. Some vendors suggest that the solution customers should adopt is to reengineer everything as microservices. This is hardly practical.
At the same time new tools have emerged which vendors claim will solve these problems by providing a single pane of glass. These are primarily focussed on cloud with Cloud Security Posture Management is being promoted as an answer to the hybrid cloud governance challenge. However, it only provides parts of the solution. Other tools include:
· CASB – covers SaaS providing an inventory of services and controls over access.
· SASE – convergence of SWG, VPN and DNS providing secure access and has absorbed CASB.
· CIEM – focus on infrastructure elements providing visibility and control.
· CWPP – CNAPP – protection container-based DevOps.
Business driven IT is no longer about managing static services in a single environment. It must support the challenges of the new dynamic and volatile services, workloads and resources that are delivered through DevOps and exploit multi-cloud and software defined resources.
Dynamic IT needs Dynamic Security Management that covers more than just infrastructure and that enforces just in time security and access controls such as least privilege with just in time monitoring, detection, and remediation.
KuppingerCole call this Dynamic Resource Entitlement and Access Management. This is based on policies rather than static controls; it automates enforcement based on these policies and hence enables governance of dynamic IT.
For more information on this check out EIC sessions