Cloud can mean better security, not less security
Blog: Capgemini CTO Blog
The benefits of cloud and automation are clear to a huge number of businesses, but security concerns continue to slow down access to the full business value they promise.
Seventy four percent of IT leaders say security concerns have restricted their move to public cloud, and in a recent IDG survey of IT directors and CIOs, security topped the list of barriers impeding or stalling cloud infrastructure deployments.
Cloud security concerns fall into three broad types:
- Data breaches: Using a range of cloud services without tight identity and access control can leave enterprise data vulnerable to theft. A study by Blue Coat Systems found 26% of documents stored in cloud apps were shared so widely that they posed a security risk.
- Malware injections: Malicious scripts or code embedded into cloud services that act as “valid instances” and run as SaaS to cloud servers are often used to gain access to other, integrated systems or to steal data.
- Ransomware attacks: Cloud computing businesses are attractive targets for ransomware attacks because of the sheer volume of valuable data they handle, and the tight SLAs they have with their customers. Ransomware targeting cloud services is one of the six biggest cyber threats likely to face organizations in 2018, according to the Massachusetts Institute of Technology.
Beating security challenges with cloud automation
While these concerns are legitimate, businesses simply cannot afford to let security challenges hold them back from embracing cloud technology. Especially since cloud also offers security advantages.
Cloud automation, in particular, can provide built-in solutions to many common cloud and traditional security concerns. The Capgemini report surveyed IT leaders from 415 companies in North America, Europe, and Asia Pacific, at various stages of applying automation to their IT operations, and found many are gaining significant security advantages.
“We are driving an ‘intelligent security’ strategy—fundamentally rethinking the way we do business that raises the bar for technology, and automation is a major element in our strategy, ” said Jens Ekberg, Vice President for Technology and Transformation at Securitas, a Sweden-based security services firm.
Rather than fixating on the basic security concerns surrounding public cloud, business and IT leaders should be thinking about how they can use cloud technology to automate their security processes for cloud solutions. Virtually risk-free security is achievable using new solutions such as security as code (SaC) and infrastructure as code (IaC) architecture to automate security processes.
Deploying SaC/IaC automation correctly can help a business:
- Achieve better security by design, and make security a key priority right from the beginning of conceptualization and development
- Enable more stringent quality checks to identify vulnerabilities before deployment
- Automate deployment processes and free up deployment resources to focus on enabling higher levels of security.
Building security into code with DevSecOps
DevOps has proven to be a very beneficial approach for companies adopting cloud technology. Adding security to the mix makes it even stronger. DevSecOps automates core security tasks by embedding security controls and processes into the DevOps workflow, putting security front and center throughout the development and deployment process.
Security as code is one of the three main ways of upgrading DevOps to DevSecOps. The concept ensures security is integrated into products during development, and promotes tight collaboration between security and development teams – the same kind of collaboration that has made DevOps such a successful and broadly-adopted approach.
For businesses still hesitant about the security of cloud technology, it’s time to zoom out and see the bigger picture. The flexibility of cloud is fundamental to collaborative and automated development and deployment processes, and now companies can weave security into that same fabric, ensuring consistent protection against the very threats that many believe the public cloud will leave them exposed to.