Since I first heard a few of the folks who would go on to form the Cloud Security Alliance discuss the “cloud computing” model a long, long time ago I have been hopeful that two things would happen. First, I was hopeful that cloud computing would increase an organization’s resilience to failure. Second, I was hopeful that security would find a way to natively build itself into the various cloud constructs.
Turns out neither of those things have happened in a meaningful way.
Consulting on security strategy matters into some of the most interesting companies in the world has definite perks. One of them is that you get to see how “the cloud” is really used. I mean, even today cloud is like sex back in High School. Everyone talks about it like they’re doing it on the regular, but most haven’t done anything really meaningful to speak of.
So let me get to my point.
When you think “cloud” you think highly dynamic, programmatic, DevOps. You probably think that patching is gone, and immutable infrastructure is the new hotness. You probably think about containers, serverless, and micro-services. You probably think about native security in one of the three public cloud providers. Cool.
Fact is, most of the mid-market and lower enterprise companies I’ve had the pleasure of discussing cloud with aren’t anywhere near that. Most of these companies that are actually using the public cloud have simply figured out how to replicate their data center, in someone else’s data center. Minus all that hardened perimeter security folks are used to.
So while I’d love to tell security readers that their IT departments are standing up and tearing down a thousand servers (or a thousand times that) per day, and they have to get their ship in order in this new highly dynamic world, it would be untrue. Most of them are dealing with static environments, that still have to be patched and secured the old fashioned way from the 2000’s.
There certainly are enterprises, start-ups, and other companies that are doing the high-velocity, high-volume stuff and they’re killing it. They’re probably DevOps’ing the hell out of things, and no one even says the word “patch” anymore. But they’re more rare than an honest politician.
So the lesson, or the moral of the story friends, is that you should be building security for tomorrow in the brave new world we’re already in. Just know that many of the principles of that world are ….5–7 years away from being realized in your market-segment.
Hey vendors, are you listening?