Starbucks made a bold bet on the cloud years ago, creating a unified platform for both commerce and customer loyalty. Today it embodies a “digital flywheel” built around the Starbucks mobile app, and it’s something I was intimately involved in creating as the company’s principal security architect and then director of cloud engineering.
The move to the cloud represented a pivotal decision for the company –which by that time had been around for decades – to shift critical and compliant workloads off premises and into a new environment. The new chief technology officer at Starbucks had recently spearheaded Adobe’s similarly momentous transition from a purveyor of packaged applications to an innovative SaaS subscription provider. She was also a strong proponent of the cloud’s promise of innovation and speed.
For both companies, that cloud embrace was a success.
I bring up these high-profile examples to make a point: While it worked out, success wasn’t guaranteed. It turns out managing security and maintaining compliance in a cloud environment takes hard work. It’s especially hard for companies trying to shift existing, mission-critical workloads from on-prem to public cloud. These two environments have dramatically different profiles from a security perspective, and the practices, policies and infrastructure that companies have spent years developing around relatively static datacenter environments don’t work when it comes to the fluid, interconnected nature of the cloud.
The cloud presents three challenges: Fluid cloud environments make gathering necessary technical evidence more difficult; limited visibility into complex cloud infrastructure makes it harder for CISOs to monitor and report on risk profiles; and compliance efforts can’t keep up with the cloud’s ultra-fast product development cycle. For CISOs and their teams, the security models they’ve spent years maturing no longer apply.
In short, cloud security often entails starting from scratch.
This puts CISOs in an awkward, no-win situation: Either live with the knowledge and risk of DevOps outpacing security and compliance in the cloud, or become a blocker, slowing cloud innovation out of concern over compliance and security.
I see this reality on the ground in talking with many companies, where cloud innovation has been limited to new opportunities, typically peripheral to the business, while central mission-critical workloads remain locked down in the data center. In essence, security teams make a devil’s bargain, blocking innovation on compliant workloads while living with risk at the margins.
Unfortunately, the risks and blocks on innovation are real. Companies accustomed to infrequent, monolithic software updates are ill-prepared for the light-speed cycles of cloud-native technologies such as containerization and microservices, not to mention the interconnectedness – and potential vulnerability – across internal and external APIs. The traditional paradigm around security and compliance simply can’t keep up. As much as security teams don’t want to block this cloud innovation, they do. They essentially set up a dam that’s overflowing and the risk leaks around the edges.
This isn’t an intractable problem, but solving it requires both a shift in organizational mindset and the strategic application of new technology solutions.
The shift in mindset has been much discussed in security circles: It’s a shift left so security and compliance become equal partners in DevOps. Security should not get addressed after DevOps completes primary development, rather it’s baked in from the beginning with DevSecOps teams taking joint responsibility. Products are not done until they are secure and compliant-by-design.
There’s another well-known maxim in security circles: Trust but verify. Security teams can’t take on faith that cloud initiatives are secure and compliant, they must get validated and demonstrated. That typically means certification with accepted security standards such as the Payment Card Industry Data Security Standard (PCI DSS) and Service Organization Controls-2 (SOC-2).
Which unfortunately brings us full circle in this discussion, because it’s hard to demonstrate cloud compliance. It takes a mind-boggling amount of manual labor from employees (engineers, developers, security teams and others) to complete. It distracts all this talent from work that otherwise moves the company forward. And the worst part: It’s never done – there are multiple standards, and certification happens year in and year out. Rinse and repeat.
Here’s where strategic application of technology comes in, because automation can now address this repetitive manual labor. Solution providers are tackling this from two different but related directions: Broader security risk and compliance management.
Gartner illustrates the risk aspect in their most recent hype cycle, pointing to an emerging category they define as SaaS Security Posture Management: Tools that continuously assess security risk and manage SaaS application security posture. On the compliance side, emerging solutions automate evidence collection for cloud environments, saving engineering teams from the manual labor of compliance audits while letting security teams assess and verify compliance as needed.
These emerging risk and compliance solutions deliver three of the following critical advantages for security teams in the cloud. These new cloud-native products are:
- Continuous.
Unlike point-in-time snapshots that are sufficient for monolithic software updates, the fast-paced and fluid nature of the cloud, requires constant monitoring for risk mitigation or compliance drift. That ensures risk and compliance assessments are current.
- Comprehensive.
Because cloud infrastructure is both amorphous and highly complex, traditional manual compliance audits rely on spot checks, taking a statistical sampling as a signifier for overall compliance. Similarly, security tools that aren’t designed for the cloud often leave an organization with blind spots. And those blind spots and non-compliant systems are exactly where bad actors can wreak havoc.
- Accurate.
Automation removes the human element from the equation, while making it easy to gather critical metadata that delivers added context and validation. This improves risk assessment and speeds mitigation, and equally ensures compliant systems and fast, smooth audits.
While it’s not easy to do cloud security and compliance, new tools and practices ensure it doesn’t have to block innovation, or significantly increase risk.
Scott Schwan, chief executive officer, Shujinko