Bridging the Delivery Divide between Cyber and Multicloud
In this article
Financial services organizations are plagued by having to secure sensitive data and assets from ever-advancing cyber threats, and this challenge is maximized when having to do so across multiple cloud environments.
As these institutions continue to accelerate multicloud adoption, and data and assets are increasingly distributed across multiple shared environments, the roles and responsibilities of cloud and cybersecurity teams are forced to overlap and intertwine, which adds another layer of complexity.
On one side, we have application owners who have speed and agility in mind as the adoption of this new model of digital delivery unfolds. But in the eyes of the delivery teams, traditional cybersecurity tools and processes are perceived as slow, expensive and anything but agile. At the same time, cybersecurity teams have a critical responsibility to protect the infrastructure at large, so will generally be resistant to using each cloud services provider's (CSP) cloud-native security tools.
This is all understandably so, but it creates a major divide between the cybersecurity stakeholders and the multicloud stakeholders, defeating the entire purpose at hand, which is to secure the environment and protect critical data and assets.
What it boils down to is a lack of understanding, and therefore trust, by banking CISOs and cybersecurity stakeholders when it comes to CSP-native and cloud-native security tools.
First, it's important to distinguish CSP-native security tools from cloud-native security tools.
Cloud-native security refers to security measures and controls that are specifically designed to protect applications and infrastructure that are developed, deployed and operated in a cloud-native environment, which is one that is built on modern cloud computing technologies, such as containers, microservices and server-less architectures.
As for CSP-native security tools, each of the major CSPs (AWS, Azure and GCP) offer very good security tools that are built natively for their services. But, while these cloud-native tools are great inside their respective native CSP, they are limited to a single CSP. This can get kind of tricky for a financial services organization that leans on multiple CSP environments, but cloud teams tend to see the bigger picture.
The cybersecurity teams responsible for securing a financial services organization have solid cause to object if you see things from their perspective. Let's take a look at some reasons why cloud-native security tools aren't being warmly embraced by the security team:
- Compliance pressures: Financial institutions are subject to strict regulatory requirements, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). The security of customer data stored or accessed across multiple CSPs presents unique challenges that CSP-native tooling do not address when customer data are accessed in multiple environments.
- Security concerns: Banks hold personal financial information and transaction records, making them a prime target for cyber attacks. Without proper understanding, it's easy to believe that cloud-native security tools do not provide adequate protection for such sensitive data.
- Lack of control: Cloud-native security tools are often provided by cloud service providers and managed by cloud teams, which can create a sense of loss of control for stakeholders, whereas on-premise security solutions appear more manageable and easier to control.
- Lack of interoperability: Cloud providers often design their security tools to work optimally within their own platforms, which can create interoperability issues when trying to secure multiple cloud systems; this may seem to present security gaps and an inability to gain a comprehensive view of security functions across all cloud environments.
- Limited coverage: Cloud-native security tools typically provide coverage for only a specific set of security concerns, such as network security or identity and access management; this can leave other critical areas uncovered, such as data protection or compliance.
- Complexity: Deploying and managing multiple cloud-native security tools across multiple cloud platforms can be complex and time-consuming, and it opens the possibility of operational inconsistencies and an increased risk of misconfigurations or human error.
- Cost: While cloud-native security tools are often included in the cost of the cloud platform, they may not be cost-effective for enterprises using multiple cloud providers.
Just as cybersecurity teams' hesitancies are justified, we also must understand why cloud stakeholders will not accept the status quo of using traditional security tools and processes to secure a multicloud infrastructure. Cloud technologies are intended to increase simplicity, speed and agility, and traditional security methods are counterintuitive to this in more ways than one.
On the frontlines within our banking clients' organizations, we commonly hear cloud teams say that the cybersecurity teams just don't get it and that they are trying to deploy virtual instances of data center firewalls in each separate cloud environment. The use of traditional monolithic virtual machines running a firewall instance inside the cloud provider, alone, is enough to cause a divide between cybersecurity and cloud teams.
From a cyber perspective, virtual firewalls may seem like an easy and convenient way to secure cloud-based resources; however, the cloud team knows that deploying them in the cloud has its downsides:
- Limited visibility: Virtual firewalls in the cloud control ingress/egress traffic and lack visibility into network traffic that occurs between cloud resources.
- Scalability challenges: Virtual firewalls may struggle to keep up with the dynamic nature of cloud environments, where resources are constantly added, removed and resized; this can lead to performance and security control issues across a rapidly changing infrastructure.
- Complexity: Deploying virtual firewalls in the cloud adds a layer of complexity to an environment built to remove infrastructure complexity.
- Cost: Virtual firewalls can be expensive to deploy and maintain in the cloud as providers often charge for network traffic processed by virtual firewalls.
The good news for everyone is that the security landscape for multicloud security has matured significantly. It's now entirely possible to fulfill security requirements at the speed of modern business evolution with a consistent operational model, all at a comparable cost to CSP-native security tools.
Cloud-native security software designed and developed to provide true multicloud and cloud-native security models for operational consistency and interoperability is available and the offerings have matured.
It doesn't have to be all or nothing. There are such things as a multicloud security approach that uses specialized tools and services designed to provide comprehensive security coverage across all cloud environments while also addressing the unique challenges of multicloud security.
Cloud-native security considers the dynamic nature of cloud environments, where resources are constantly being added, removed or modified. It also considers the distributed nature of cloud systems, where applications and services may span multiple cloud providers and regions.
Cloud-native security includes a wide range of security measures, such as Cloud Security Posture Management (CSPM), Cloud Identity & Entitlement Management (CIEM), Cloud Workload Protection Platforms (CWPP), Data Security Posture Management (DSPM), Data Classification, Policy as Code, Secrets Management, and others.
Cloud-native benefits include the ability to automate security processes and integrate them into the overall application lifecycle. By embedding security into the development and deployment process, cloud-native security enables the cloud and cyber teams to detect and respond to security threats in real-time, reducing the risk of data breaches and other security incidents.
Ultimately, it's the CISO and the cybersecurity team who own accountability for protecting a bank's sensitive data and assets, but in a multicloud environment, it's imperative to entrust mindshare from the cloud team.
While resistance to CSP-native security tools is justified, relying on the same tools used to secure the on-premises data environment is a bad idea. But it's also unwise to hand everything over to multiple CSPs with a hands-off approach. Enforcing a collaborative effort between cloud and cyber teams, so that they can pull from what they know to achieve the best of both worlds, is the right way to go. Here are some ways to make this happen:
- Communication -The key to bridging the divide between the cyber and cloud teams is communication. CISOs should make sure cyber and cloud teams work closely to understand each other's needs and concerns and to provide guidance on security best practices and policies.
- Education - CISOs should provide education and training to cloud teams on the organization's security policies and procedures as well as share the threats and risks facing the organization and why a consistent security model is required. Helping the cloud teams understand the limitations of CSP-native tools will develop a teamed interest so the cyber team can address security needs while maintaining the benefits of going to the cloud.
- Collaboration - CISOs should collaborate with cloud teams to identify and address security risks and vulnerabilities in the cloud environment; this can include conducting regular security assessments and audits, and implementing security controls to mitigate risks.
- Cooperation - CISOs and cloud delivery teams should team together to select cloud-native tools that work across all CSPs and help the organization achieve compliance and security requirements at the speed of the business.
The way to bridge the divide between multicloud delivery and cybersecurity is by both teams communicating, educating, collaborating and cooperating to build a multicloud native security environment.
The cloud-native software ecosystem has matured, so you need a collaborative strategy that will bridge the current divide and foster symbiosis between the cyber and cloud teams so that your organization's cloud security goals are achieved.