The ‘Frankencloud’ model is our biggest security risk

Recent testimony before Congress on the massive SolarWinds attacks served as a wake-up call for many. What I saw emerge from the testimony was a debate on whether the public cloud is a more secure option than a hybrid cloud approach.

The debate shouldn’t surround which cloud approach is more secure, but rather which one we need to design security for. We — enterprise technology providers — should be designing security around the way our modern systems work, rather than pigeonholing our customers into securing one computing model over the other.

An organization’s security needs to be designed with one single point of control that provides a holistic view of threats and mitigates complexity.

The SolarWinds attack was successful because it took advantage of a vast, intermixed supply chain of technology vendors. While there are fundamental lessons to be learned on how to protect the code supply chain, I think the bigger lesson is that complexity is the enemy of security.

The “Frankencloud” model

We’ve seen our information technology environments evolve into what I call a “Frankenstein” approach. Firms scrambled to take advantage of the cloud while maintaining their systems of record. Similar to how Frankenstein was assembled, this led to systems riddled with complexity and disconnected parts put together.

Security teams cite this complexity as one of their largest challenges. Forced to rely on dozens of vendors and disconnected security products, the average security team is using 25 to 49 tools from up to 10 different vendors. This disconnect is creating blind spots we can no longer afford to avoid. Security systems shouldn’t be piecemealed together; an organization’s security needs to be designed with one single point of control that provides a holistic view of threats and mitigates complexity.

Hybrid cloud innovations

We’re seeing hybrid cloud environments emerging as the dominant technology design point for governments, as well as public and private enterprises. In fact, a recent study from Forrester Research found that 85% of technology decision-makers agree that on-premise infrastructure is critical to their hybrid cloud strategies.

A hybrid cloud model combines part of a company’s existing on-premise systems with a mix of public cloud resources and as-a-service resources and treats them as one.

How does this benefit your security? In a disconnected environment, the most common path for cybercriminals to compromise cloud environments is via cloud-based applications, representing 45% of cloud-related incidents analyzed by our IBM X-Force team.

Take, for instance, your cloud-based systems that authenticate that someone is authorized to access systems. A login from an employee’s device is detected in the middle of the night. At the same time, there may be an attempt from that same device, seemingly in a different time zone, to access sensitive data from your on-premise data centers. A unified security system knows the risky behavior patterns to watch for and automatically hinders both actions. If these incidents were detected in two separate systems, that action never takes place and data is lost.

Many of these issues arise due to the mishandling of data through cloud data storage. The fastest-growing innovations to address this gap are called Confidential Computing. Right now, most cloud providers promise that they won’t access your data. (They could, of course, be compelled to break that promise by a court order or other means.) Conversely, it also means malicious actors could use that same access for their own nefarious purposes. Confidential Computing ensures that the cloud technology provider is technically incapable of accessing data, making it equally difficult for cybercriminals to gain access to it.

Creating a more secure future

Cloud computing has brought critical innovations to the world, from the distribution of workloads to moving with speed. At the same time, it also brought to light the essentials of delivering IT with integrity.

Cloud’s need for speed has pushed aside the compliance and controls that technology companies historically ensured for their clients. Now, those requirements are often put back on the customer to manage. I’d urge you to think of security first and foremost in your cloud strategy and choose a partner you can trust to securely advance your organization forward.

We need to stop bolting security and privacy onto the “Frankencloud” environment that operates so many businesses and governments. SolarWinds taught us that our dependence on a diverse set of technologies can be a point of weakness.

Fortunately, it can also become our greatest strength, as long as we embrace a future where security and privacy are designed in the very fabric of that diversity.

Read More