Over the last few years, enterprises have been experimenting with private, public and hybrid cloud models for their applications and data. Many organizations are now turning to the public cloud to meet their needs. The public cloud offers obvious advantages in terms of rapid scalability and cost effectiveness, but there are other reasons that it's growing more popular.
“Through 2020, public cloud infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centers,” according to Gartner. Public cloud providers have invested heavily in improving their security postures and may be more secure than the on-premises alternative for some organizations.
This is partly due to the widening cybersecurity skills gap. Despite increased spending and visibility, an ESG study found that the percentage of respondents reporting a shortage of skills rose from 23% in 2014 to 51% in 2018. Faced with a lack of in-house talent, some companies are realizing that the expertise to stay on top of the current threat landscape may be found in the public cloud.
Shift to the public cloud
The hybrid cloud is the most popular approach right now, accounting for 67% of companies, according to the 2017 State of the Cloud Report from RightScale. But this is a period of transition, as companies shift from private to public.
While just 40% of companies in a recent McKinsey study have more than 10% of their workloads on public-cloud platforms today, 80% of them plan to have more than 10% of their workloads in public-cloud platforms in three years or plan to double their cloud penetration.
As they make the shift, there's a need to understand the challenges and develop the right strategy. Moving on-premises workloads to the public cloud isn't straightforward. Existing security policies and practices won't necessarily be effective anymore. Even after reconfiguring existing controls, there's a serious danger of gaps in visibility between workloads and cloud platforms.
Formulating the right strategy
Since human error is often at the root of successful security attacks, automation is the way to go for a seamless cloud migration. But first, organizations must take the time to assess their status. Think about apps, operations monitoring, data encryption, identity and access management (IAM), server-side and user end points. Don't forget to factor in regulatory governance, particularly with the European Union's General Data Protection Regulation (GDPR) coming into effect.
These areas are set to see considerable change within the next few years. For example, while 60% employ on-premises IAM solutions today, according to McKinsey, within three years 60% expect to be relying on a third-party IAM service that supports multiple public-cloud environments.
While the current situation is important, anticipating future needs is the key to designing a solid strategy. Another crucial element to consider is your choice of model for perimeter security.
Cleansheeting is the right model for perimeter security
Many companies currently route traffic through on-premises networks, which allows them to continue leveraging familiar security tools. Adopting CSP-provided controls is another short-term solution. But forward-thinking organizations are designing virtual perimeters, adopting what McKinsey calls a “cleansheeting” approach whereby they cherry-pick the best perimeter-security solutions they can identify. This approach to design is all about creating a system that draws on the best-in-class services for everything from your web application firewall to your network monitoring.
Selecting the right vendors and successfully integrating their controls can be time-consuming and expensive. It also requires considerable cybersecurity expertise for best results. Despite the difficulties, 47% of companies plan to adopt cloud-specific controls in the next three years, according to McKinsey. This move is driven by a need to support multi-cloud environments and the importance of being able to easily replace point solutions.
Enterprises need to be free to adopt and exploit the latest technologies, but as environments grow more complex, maintaining visibility and control is increasingly challenging. Gartner suggests that by 2018, the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures.
It's vital to establish continuous configuration analysis and vulnerability visibility across hybrid infrastructures to realize comprehensive preventive security. A successful public cloud adoption requires a secure foundation that a hybrid cloud-aware security architecture can provide.