We’ve seen many headlines about cloud breaches targeting companies and exposing people’s sensitive data over the last year, including Adobe, Marriott Hotels and, of course, the infamous Capital One breach. In fact, attacks targeting cloud-based data nearly doubled in 2019 compared to the year before.
What some people may not understand is that these breaches don’t happen because of weak cyber defenses; they happen due to the lack of adequate governance and security policies in multi-cloud environments.
And multi-cloud environments are now the norm. In fact, 81% of enterprises today have a multi-cloud environment, using an average of five different clouds. Unfortunately, the agility, flexibility, scalability and affordability cloud provides can come at the expense of security. This is because a multi-cloud approach adds many layers of complexity to IT infrastructure management, complexity that can result in unanticipated vulnerabilities and unenforced policies.
IT departments handle much more than security and governance. They must also manage multiple on-prem, private and public cloud resources, develop and enact provisioning processes for resource deployment, and maintain visibility across the system—all while keeping costs under control. Often called on to work with limited resources, IT faces challenges handling this scope of responsibilities while simultaneously ensuring broad organizational compliance with security and governance policies and practices.
These limitations have consequences. The Capital One breach, for example, resulted from a relatively simple firewall misconfiguration. That one oversight resulted in the theft of private data affecting 100 million people and incalculable damage to the Capital One brand.
At the end of the day, no matter how many tools you have or policies you put in place, the people using these tools and supposedly following these policies determine whether or not your company becomes another headline. As Gartner puts it:
“The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data.”
The perils of governance in multi-cloud infrastructures
Cloud governance encompasses the policies and processes organizations establish to safely and effectively operate in the cloud. These policies dictate things such as who can access assets and for what reason, and establish organizational protocols for protecting against malicious attacks. They also set rules governing user accounts, audit trails, encryption key management, asset configuration, multi-factor authentication, passwords and data recovery.
Governance is critical in any IT ecosystem, but, as we have indicated, making it happen is easier said than done. Effective governance relies on adherence to policies on the part of the human beings employed by your organization. Unfortunately, as we all know, human beings make mistakes.
Whenever you rely on individuals following policies to the letter or consistently maintaining established processes, your policies and processes may fall prey to human error. Many organizations understand this, and they force users to go through IT for access to properly configured resources or for access to vetted and sanctioned tools. However, this can frequently make IT an inefficient bottleneck, a choke point that frustrates users and throttles innovation.
This inefficiency and poor user experience makes things worse not better. Frustrated users will often simply decide to go around IT and procure the resources they need on their own. This drives the growth of shadow IT, making security and governance, not to mention cost control, more difficult and even impossible to manage.
Intelligent automation for fail-safe governance
Luckily, today’s cloud management platforms (CMP) can automate much of your governance, taking the burden off of IT and preventing costly human errors. Intelligent automation ensures that resources accessed are appropriately configured to fit both the role and requirements of the end user, as well as the needs of the business. With intelligent automation, IT teams can build guardrails into provisioned resources that cover everything from access privileges and how long provisioned resources remain available to usage quotas and even expiration dates for unused or rogue resources.
By loading your rules and policies onto your CMP, violations can be addressed automatically with preconfigured processes. The CMP can notify key personnel, terminate nonconforming assets, revoke account access, and request approval before allowing events to take place. Because you’re no longer relying on human beings to follow policies and procedures, these automated responses eliminate the potential for human error resulting in costly breaches, waste or regulatory noncompliance.
It goes without saying that you need to have governance, but policies don’t matter if you don’t have a way to ensure they are followed. There is no longer any reason to continue placing the burden of governance enforcement on IT departments when a CMP can do it much more effectively and without draining IT resources. Let your IT focus its time and energy on tasks that bring more value to the organization, such as supporting digital transformation and optimizing time to value, and you can sleep better at night knowing you won’t become another headline.