Pain-Free Cloud Security Transformation? There’s No Such Thing

Seemingly all companies today prioritize cloud security as part of a comprehensive cybersecurity strategy, and for good reason. The proliferation and sophistication of cyberattacks bring endless possibilities for hackers to steal and misuse data at a pace previously unimaginable. Ransomware alone rose more than 100 percent in volume globally in 2021, and the expectation is that with such “success,” the rate of attacks will only grow in 2022.

Yet, too many enterprises and smaller companies still struggle with the transformation to the cloud because of the variables that come along with choosing the best product. Lack of awareness about the complexities with the switch, namely technology-related issues and typical adjustments needed to workflows and processes, also contributes to the confusion. Adding to the quandary is the existence of very few companies that are dedicated to cloud security as opposed to general cybersecurity products.

None of these challenges surprise Amit Kandpal, a cloud security specialist at Netskope. Kandpal believes the primary problem for too many executives today is the assumption, or perhaps even false promises, made by some software security companies. These are the folks that claim their transformation to cloud-based operating systems (and the security initiatives inherently required) will be without much effort or significant adjustments.

“Most marketing content promises instant, pain-free value for their products and solutions, but that doesn’t exist,” says Kandpal. “In fact, too many companies today, especially smaller companies that have smaller staffs, find the transformation to the cloud to be a painful struggle because of the many variables that are likely to impact the performance of the final product.” As a result, too many companies are unprepared for their shift to the cloud as well as the associated tradeoffs related to the transformation process. There are, however, efforts that can be made to avoid certain pitfalls and to improve the likelihood that conversion to the cloud is more productive than nuisance.

Assessing cybersecurity and marketplace needs

The landscape of cybersecurity has evolved to the point that cloud security has become a subset of cybersecurity. Today, most businesses are employing at least a portion of their staff remotely—a reality that has been hastened by the COVID-19 pandemic. Long gone are the days when most employees operated through onsite systems that held all secure data and other resources in-house. Simply put, if you are going to operate a business today, you will most likely need to be on the cloud. And thus, you’ll need cloud security.

Cloud itself also represents one of several mega trends that are currently common among businesses that are driving the need for more security, according to Kandpal. These services include the Secure Web Gateway, Cloud Access Security Broker and Zero Trust Network Access. A 2021 global poll of 150 business and IT professionals by the data virtualization firm Denodo found that the percentage of businesses moving their workloads to the cloud spiked 25 percent (from 15.48 percent in 2020 to 19.59 percent), despite the threat of security hacks and a lack of skills among cloud users.

This essentially places an onus on executives to commit to the cloud, despite any uncertainties they might have. Trends show that most are opting to purchase pay-as-you-go services (35 percent) while self-service products and those that offer minimal IT dependency account for 25 percent of purchases, according to the Denodo survey. This underscores the importance of consumers to conduct industry research because cloud storage is more challenging to keep secure. Applications and data have moved out of the smaller “bin,” i.e., the office space. DropBox is one example of this shift. With the shift to the cloud, everything is outside the company, making it much more vulnerable. Everything is online, which means security must be delivered from the cloud as well. “There’s more data in more places now than there has ever been before for the ‘bad guys’ to gain access to,” Kandpal says. “And that brings into consideration a lot of complexity.” The result is a collective consolidation among vendors in which they attempt to offer comprehensive security software. “From what I have seen, customers do not understand the tradeoffs of that entire process,” Kandpal said.

The role of vendors and products  

One common tradeoff is often taken for granted: companies must be able to analyze multiple technologies much more quickly than they would prefer. Additional tradeoffs include the need to adhere to more compliance standards and additional staff training. Other variables of the transformation to cloud that must also be heavily weighed include the “4 Cs”: cost, coverage, context and convergence between networking and security. Examples, according to Kandpal, include:

• Context. Instead of just blocking and allowing certain applications based on a static list, the decision now is to allow a certain subset of activities, such as uploading but not downloading, based on considerations including user identity, location, pattern of recent activities and sensitivity of data involved.
• Coverage. The solution must be comprehensive and be able to apply logic or policies consistently across devices, locations, and technologies.
• Convergence. The distinction between networking and security is increasingly blurred and will continue to be. Interesting new principles and categories include Secure Access Service Edge and Security Service Edge.
• Cost. Integrated solutions could be more manageable and cost less to deploy and run on an ongoing basis.

Additionally, most major vendors have varying viewpoints that are influenced by the respective strengths of their products and services, says Kandpal. “Vendors can spin information for their own agendas. It’s not always in their best interest to talk about how complex things are.” Despite these tendencies, Kandpal believes that the behavior of most vendors is not to be deceitful, but to be overly optimistic about the capabilities of their products and services. “It’s just the nature of the sales market,” he continues. “Nobody is incentivized to say that their product is complex. The reality of the situation is that things are still evolving and sometimes that requires vendors to gather feedback from customers to help their prospects to understand what the tradeoffs might be to using their products.” But is everyone taking the time to collect that feedback? In one word: no.

Keys to security success

Presumably, executives are attempting to make informed decisions when converting to the cloud, much like for any business decision. But are they gathering enough in-depth information? “There seems to be a lack of understanding of the market and the tradeoffs,” Kandpal says. “You need to try to understand how your business will function within the cloud space before you make the transition. “If you know your company’s goals five years out, those goals need to be translated into cybersecurity goals. Are performance and stability most important to you, or is it something else? Often, I see decisions that are not well thought out.”

Helpful benchmarks to facilitate the transition include:

• Articulating key security strategies internally and with vendors
• Agreeing on key metrics and timelines with vendors
• Ensuring appropriate internal and external resources
• Investing in solution training and enablement
• Managing internal resource transitions.

“I’ve worked with hundreds of customers on cloud security, and I think there are two reasons that people do not understand the tradeoffs,” Kandpal says. “One: technology changes so fast that if you are not part of the population that makes a living in this space, things are just too complex. And, two: it’s a very valuable market. There is incentive to create demand for the services that you provide. It all adds up to complex technology that is rapidly changing. But you need to figure out how to face the various consequences.”

The time for transition is now

All companies can decrease the probability of cyberattacks with the appropriate security measures. But despite the complexity that technology inherently possesses, too many business executives expect an easy transition to the cloud. Complications await those who take too simple of an approach to this critical need. By conducting market research, observing trends, planning appropriately, and setting parameters for success, companies can reduce the odds for complications while improving their chances of avoiding various types of security breaches.