When a central Tennessee university wanted to move to the cloud, the project quickly stalled when the IT security and networking teams couldn’t agree on an architecture strategy.
At issue, said a systems administrator involved in the process, was that the teams weren’t familiar with how to secure data and applications on the various public cloud platforms they wanted to use.
“AWS and Azure leave things open about how you want to secure your cloud environment,” he said.
“It takes a lot longer to figure out how to implement security in their public cloud services because [each has] a whole new [set of configurations] to learn.”
That’s problematic for an organization with a lean IT staff that’s already strapped for time, he said.
The university isn’t the only organization struggling. In the Cybersecurity Insiders 2019 Cloud Security Report, an overwhelming 93% of companies reported being at least moderately concerned about public cloud security. Approximately 29% of companies said a lack of integration with on-prem security technologies constituted their biggest operational challenge with protecting cloud workloads.
The problem is that if a company wants to fully secure its data and applications in the cloud, it needs people with in-depth knowledge of how to configure all the security features available from each cloud platform provider, said Harold Bell, a cloud security content expert at Nutanix. That’s a tough task when each platform has proprietary features and different configuration processes, he said. Respondents to the 2019 Cloud Security Report cited cloud platform-specific tools knowledge and skills most often (47%) as the top security skill needed in their organization.
There is a misconception of roles and responsibilities in the public cloud, according to Mike Wronski, director of product marketing at Nutanix.
“The public cloud doesn't secure your applications for you,” he said.
“The providers secure their infrastructure, but they don't ensure that the services are implemented securely. They leave that up to the customer.”
A customer is expected to know how to properly configure the cloud services to extend its security policies to a given provider’s infrastructure, which entails a learning curve for each platform, Wronski said.