What if On-Prem Cloud Strategy Relied on Policy-as-Code Rather Than Taking Inventory?
This blog was originally published by Secberus here.
Let's focus on creating cloud security policies that govern hybrid environments.
Fausto Lendeborg, CEO of Secberus, and Everett Young, COO, spend a lot of their time talking about the future of cloud governance. And the rest of their time nabling the Secberus team to build a solution that brings some much needed perspective and relief to the cyber security industry.
In this “What if” article, they discuss one of the biggest hurdles regarding why on-prem organizations find it so frustrating to migrate to a cloud or hybrid environment.
On-prem strategy works for your on-prem environment quite well. But that’s it. It only works for one, specific environment. Cloud strategy, on the other hand, works both ways. A cloud strategy, when built with business-first policies, can govern both your on-prem and cloud environment.
Everett believes, "The hybrid cloud is the future. Organizations will continue to need both private and public cloud infrastructure as they grow and evolve their businesses. It's unlikely that we will be solely on cloud or on-prem. But what is likely is the growing need for a unified security strategy to manage both environments."
So why can’t we adapt our current security strategy to govern our entire security environment? It comes down to inventory management and requirements. What if taking inventory (or even taking a sample inventory) of your security environment was not a requirement? And what if building policy-as-code was? We’re not saying taking stock in your inventory is a bad thing. Far from it. We can easily go on about the benefits of speed, customer service, cost savings, proper resourcing, etc. that knowing your inventory brings. But there are also a lot of things it doesn’t bring. And they are big things, like a scalable, cloud-friendly solution.
The bottom line is:
Private cloud controls applied to public cloud controls will fail.
Policy-as-code on public cloud applied to private cloud controls will succeed.
The number one question you should be asking is, “Is there a better way to confidently and quickly find out if we have applied our intended security controls?”
We realize this shakes up current thinking. And it affects some, like auditors, a great deal. By relying on a scalable, policy-as-code system to control your hybrid cloud environment, auditors (and CISOs, Cloud Architects, and other security leaders) are assured that they have a real-time method for determining which assets are within the organization’s intended security controls.
So, what if creating policies, and not relying on inventory, was the requirement moving forward? You could achieve a unified cloud security strategy and benefit from the ability to auto-scale, develop faster and gain real-time accuracy.
Fausto believes, "This is how we're going to change cloud security."
Who’s with us?
Resources considered in writing this article include: