David Linthicum
Contributor

Complexity is the enemy of cloud security

analysis
Dec 06, 20223 mins
Cloud ComputingCloud SecurityMulti Cloud

Cloud security and IT security in general often overlook complexity. It’s not taught in security courses, and most experts don’t consider it in risk analytics.

Cybersecurity  >  A mysterious and intricate padlock with complex circuits
Credit: SQBack / Getty Images

It’s a fact that most enterprises put security teams and tools in a silo. It drives me nuts when I see these bad habits carried over to cloud computing security. I covered this topic three years ago, and for the most part, it’s unchanged.

Many of today’s security breaches are due to human error. A study by Ponemon and IBM indicates that misconfigured cloud servers cause 19% of data breaches. The cost? A half-million dollars per breach. The cause? Most of the time, too many moving parts for security teams to keep secure. They lose track, things are misconfigured, and the breach occurs. Simple.

Complexity is not new; it’s been creeping up on us for years. More recently, multicloud and other complicated, heterogenous platform deployments have accelerated overly complex deployments. At the same time, security budgets, approaches, and tools have remained static. As complexity rises, the risk of breach accelerates at approximately the same rate.

Most IT shops don’t consider complexity a significant metric to track when researching cybersecurity or cloud security. It’s often neglected because most security is a siloed set of processes. The architecture teams look at security as a black box where stuff is tossed over a wall and somehow magically becomes secure.

We’ve needed to integrate security with development, architecture, and operations for a long time. Some organizations practice devsecops (development, security, and operations) and integrate these concepts, bringing everyone’s expertise to bear on all problems.

In an ideal world, security is never somebody else’s problem because the lines of demarcation between development, architecture, security, and operations do not exist. Everyone works together across all development, design, and deployment aspects. Security is systemic to everything, which is the correct way to view it.

When security is everywhere, it also becomes a factor when defining core cloud and non-cloud architectures, including the amount of complexity introduced and how to effectively manage it. This includes addressing increased security risks through security operations. Many approaches, concepts, and technologies can be used to manage and lower risk while simultaneously increasing the value delivered to the business.

As we enter 2023, it’s a bit disconcerting that we still live with security risks due to rising complexity or siloed approaches. The culture in many enterprises perpetuates our inability to manage things. Too many in IT still say, “You stay in your corner of IT while I’ll stay in mine.”

This is no way to do cloud computing or cloud security and expect to succeed. Let’s look in the mirror and see what we can improve as we go into the new year.

David Linthicum
Contributor

David S. Linthicum is an internationally recognized industry expert and thought leader. Dave has authored 13 books on computing, the latest of which is An Insider’s Guide to Cloud Computing. Dave’s industry experience includes tenures as CTO and CEO of several successful software companies, and upper-level management positions in Fortune 100 companies. He keynotes leading technology conferences on cloud computing, SOA, enterprise application integration, and enterprise architecture. Dave writes the Cloud Computing blog for InfoWorld. His views are his own.

More from this author