To use a long-forgotten metaphor, cloud deployment is moving forward at Internet speed at many enterprise organizations. According to ESG research, 57% of enterprise organizations use public and private cloud infrastructure to support product applications/workloads today, and an overwhelming majority of organizations will move an increasing number of applications/workloads to cloud infrastructure over the next 24 months.
Now no one would argue the fact that cloud computing represents a different compute model, but it is really based upon the use of server virtualization for the most part. And since a VM is meant to emulate a physical server, many organizations approach cloud security by pointing traditional security processes and technologies at cloud-based workloads. This behavior is illustrated in a recent ESG research survey, in which cybersecurity and IT professionals were asked if their organizations used existing security technologies and processes for security workloads residing in cloud infrastructure (i.e. public and private). A vast majority (92%) said they did so, “extensively or somewhat.”
Same Security, Different Platform?
Certainly cybersecurity professionals want to leverage existing investments and lean on well-established best practices as much as possible. So what’s the problem? Unfortunately, existing technologies and processes don’t always work when pointed at cloud-based workloads. In fact, 32% of enterprise cybersecurity and IT professionals admit that they’ve had to abandon many traditional security policies or technologies because they couldn’t be used effectively for cloud security, while another 42% have abandoned some traditional security policies or technologies because they couldn’t be used effectively for cloud security.
ESG also asked survey respondents to identify the least effective traditional security tools for addressing cloud security requirements. The replies were as follows:
Cloud-Native Security: Required
Of course, no organization wants to throw the cybersecurity baby out with the cloud bath water but force-fitting security tools designed to protect physical assets won’t work either. Yes, CISOs should use tried-and-true best practices whenever possible, but the ESG data indicates that they’ll need to embrace cloud-native security technologies and processes to do so.
This won’t be easy, but there is really no alternative. As the ESG data clearly indicates, securing new cloud infrastructure with old processes and controls is simply a recipe for failure.
Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service. Read more ESG blogs here.