Cloud security is still a work in progress

0
136

As a cloud architect, I am amazed that cloud security is still so hard. We’ve had identity access management (IAM) for more than a decade. Now we have deep encryption services, key management, and most recently, zero trust and secure access service edge (SASE). Note that zero trust and SASE are terms defined by Forrester Research and Gartner, respectively, and not by groups of security solutions providers.

Despite all this security technology, security solutions have become more complex and difficult to operate as cloud deployments themselves become more complex. As the technology and technology concepts (such as SASE) add more big ideas to the problem, the growth of cloud, Internet of Things, edge computing, and now work from anywhere quickly outpaces our ability to provide workable and cost-effective security. Our deployments become less secure rather than more.

Don’t get me wrong, I tell my clients all the time that enough time and money will solve all security problems. But no enterprise has unlimited money or time. The challenge is to define a framework of technology that can provide cost-effective, nearly optimized security solutions with the understanding that full optimization is impossible. The framework also needs to be flexible and remove operational complexity.

SASE and other big idea solutions are just conceptual at this point. Security providers promote SASE as the answer, but the actual solutions are still evolving and implementations are few and far between. According to Gartner Analyst Nat Smith, SASE is more of a philosophy than a checklist of features.

So, just what is SASE and will it save us? SASE combines SD-WAN capabilities with security and delivers them on demand. Security policies are enforced on and tailored to each user session, based on the identity of the connecting entity, context (behavior of the device), compliance policies, and an ongoing assessment of risk for each session.

Not to knock SASE or zero trust or anything else in the works, but I figure we need 20 bad ideas in order to pick a few good ones. We’ve already had some stinker ideas, so SASE and zero trust could turn out to be the winners. Just keep in mind that we’re not at a point where security products and/or concepts will show up in your cart as a predefined set of solutions.

Today we must still cobble together security technology that may or may not be optimized for our cloud and/or enterprise security deployments. This means we still need to rely on the skills of the cloud security architect along with a handful of decoupled security technologies that we hope will do the trick.

We’re sitting in a perfect storm: Too many security problems have yet to be solved, and the cloud deployment rate continues to explode. Something is waiting to happen. It’s time for some bigger thinking from nontraditional sources. To weather this storm, a certain amount of leadership needs to come from the masses, thought leaders, and solutions providers. And it needs to come soon.

Source