Cloud security, the challenges in 2022

[German]At the moment, it feels like every company is moving its IT to the cloud or is more or less forced to do so by the providers. You often read that the whole thing will be easier and more secure when switching to the cloud – the cloud provider will take care of it. However, the whole thing can become a challenge in terms of security, especially if several cloud providers have to be administered at the same time.

Christine Schönig from Check Point Software Technologies has dealt with the topic of cloud security and written a few thoughts. I didn't want to withhold these from readers entirely, because some of the boundary conditions are likely to cause us a few more headaches in the future.

Because, cloud environments are very different from traditional data center infrastructures. As a result, traditional security solutions and approaches are not always likely to work effectively in the cloud. Most enterprises also use a multi-cloud environment with multiple providers. While this allows them to take full advantage of the unique benefits of different cloud approaches optimized for specific use cases, it is not always the case that the cloud is the best choice. But the side effect is that it also increases the scale and complexity of cloud connectivity. As a result, many enterprises face significant challenges in securing their cloud infrastructure:

• Handle multi-cloud: According to the Cloud Security Report 2022, 76 percent of organizations use two or more cloud service providers, and as many as 24 percent use more than five cloud providers. This complexity makes it difficult to consistently monitor and secure all cloud environments. In addition, more than half of enterprises believe that cloud providers' integrated security offerings are not as effective as third-party solutions. 
• Lack of qualified staff: There is a significant skills shortage in IT security and specialized professionals are even harder to find. As a result, less than half of organizations (45 percent) can find qualified personnel to manage critical cloud security functions. The lack of staff knowledge and expertise also complicates cloud compliance, requiring knowledge not only of the controls required, but also of how to implement them in cloud environments. More than half (55 percent) of organizations say this lack of combined knowledge about regulations and the cloud itself is the biggest challenge.
• Regulatory compliance: Most organizations are subject to many different compliance regulations, while the regulatory landscape is rapidly expanding. Because of the move to cloud, 39 percent of organizations say achieving, maintaining and demonstrating compliance in this highly diverse IT environment is a major challenge. They also say it is difficult to establish consistent security policies. When using multiple cloud environments, organizations are also faced with a variety of different integrated tools and settings. As a result, 32 percent of organizations feel that maintaining consistent security policies across their cloud infrastructure is a hurdle. In addition, compliance audits and risk assessments are an important consideration. While these can be a bit of a pain on premise, where the company owns and controls all of the infrastructure, in the cloud, with its limited access to the underlying infrastructure, cleanly managing the process is a challenge, 42 percent of companies say. [Note: Uncertainties around compliance with the GDPR when accessing cloud providers outside the EU are not addressed at all in the text above].
• Lack of oversight: Cloud  implementations operate on a shared responsibility model because responsibility for IT security is split between the cloud provider and the customer. The former protects the infrastructure, the latter has to guard its data and applications independently. Without visibility and control at the lower levels of the infrastructure, and without the ability to deploy traditional security solutions, 35 percent of enterprises struggle to make security fit.

Each cloud platform has its own security configurations and most enterprises work with multiple cloud providers. For 33 percent of enterprises, the complexity of their cloud environments makes it challenging to quickly identify and correct misconfigurations before they can be exploited by an attacker.

The expansion of multi-cloud infrastructure also increases a company's digital attack surface. Constantly checking cloud applications for vulnerabilities is therefore essential. However, this vulnerability management is almost impossible for many companies to manage.

Automating cloud security

Continuous and automated security controls are essential to minimize the risk and impact of IT attacks on cloud-based structures. However, 31 percent of organizations struggle to implement these automated controls.

The scale of multi-cloud environments makes it impossible for them to manually configure and enforce security across the entire environment. Automated enforcement has become inevitable for this reason, but is cited as a hurdle by 28 percent of enterprises.

Advantages and disadvantages

A cloud-based IT infrastructure can bring significant benefits to an organization, according to Check Point. That's because it offers greater flexibility and scalability, as well as the ability to reduce costs and congestion by outsourcing the management of much of a company's infrastructure to the cloud provider.

However, these benefits also come with costs and the effort to get through the challenges. As organizations move from on-premise environments to cloud-based infrastructure, they must integrate their cloud deployments with their existing security policies and architectures. The significant differences between on-premise and cloud-based infrastructures can make this a fairly arduous undertaking, which is why automating management and consolidating IT security architecture is highly recommended. However, the benefits after the thoughtful transition are unbeatable.