The Costs of Transforming Security for Hybrid Multicloud

As organizations transform to using Cloud services, the role of security is becoming more important to everyone. The use of the Cloud adds additional risk from threats such as the Cloud Service Provider (CSP) potentially having access to sensitive data. The complexity of security is increasing with security built into the cloud needing management and the need for additional layers of security to be built on the cloud platform.

Working with clients, the Cloud Engagement Hub has seen the Security team within organizations struggling to keep up with the new security capabilities needed for Cloud. Some organizations have been using cloud services with strong security capabilities for many years and others have not started. Those that think they have not started, are often already using Cloud services through shadow SaaS applications with no understanding of what security is deployed. At the other end of the scale, we have found many who think they are mature, but are only starting on their journey as they have not understood the extent of the security transformation needed for Cloud. It’s this large variation in maturity that makes the ‘Journey to Cloud’ unique for each organization.

One fundamental question asked, during our development of a cloud security transformation roadmap, is — ‘how much will it cost to transform and run the new security services for Cloud?’. One thing we do know — the costs of security will increase with the additional complexity and risk of using Cloud services. However, until we have a good understanding of the current context and the target solution is agreed, the response will always be ‘It all depends…’.

To help answer questions on the scale of the increase in costs, we have identified some of the parameters and constraints needed to make the calculation. To help simplify the discussion, the problem has been decomposed into three dimensions:

1. Complexity of Service — the complexity of the Cloud services being implemented
2. Current Capabilities — the security capabilities of the existing organization
3. Sourcing Strategy — the sourcing strategy for the Cloud and Security capabilities

The diagram below visualizes the many factors in each of the three dimensions that influence the transformation and operational costs for Security.

Complexity of Service

Complexity is always a factor in costing new Cloud infrastructure, with the number of Cloud Service Providers (CSPs) being a significant multiplier. Each new CSP requires effort to integrate and operate security capabilities built into and built onto the cloud platform.

With security, there needs to be a balance between using the security capabilities built into the cloud platform and the security capabilities built onto the platform. Built-in security may be easier to use but it is often proprietary to a CSP and introduces lock-in. The simple answer would be to use one single CSP but many organizations are concerned about the concentration risk of a dominant cloud platform and require an exit strategy.

The cost impact from multiple CSPs can be reduced through use of the same components across cloud platforms — such as operating systems, middleware, the container platform and directory services together with multi-cloud security management for consistency. Getting the balance right between the built-in and built-on security is important. Agreement of a security architecture, that identifies common multicloud components, is needed to reduce complexity and ensure an integrated set of security services.

The number of overall software components needing to be secured is also a cost multiplier. For each software package used, there needs to be a separate baseline standard defined for secure configuration with additional management and compliance capabilities. Whilst standard baseline security standards from organizations such as the Center for Internet Security help reduce the effort, it does not remove the additional work needed. An increased number of software packages increases the number of skilled security resources required and the security tooling needed to manage them.

This becomes even more complex with the move to open source, further increasing the number of different software components. Have a look at the CNCF Landscape to get an idea of the potential complexity from using individual open source project components. Where an organization decides to perform DIY integration for each of these open source projects, there will be an increased cost to ensure each of these projects are secured over time. The open source community only provides support for a limited time and if the organization cannot upgrade fast enough, additional effort will be needed within the organization to maintain the security of the open source software. Remember, it is not just the individual packages needing to be maintained but the integration dependencies for each of the packages.

One option is to make use of curated open source projects integrated into a package with long term support, such as provided by an enterprise container platform. Whilst this will have associated third-party support costs and reduce ability to use upstream open source, it frees up scarce resources to focus on the core business of the organization and leave the open source support to dedicated experts. Using a supported open source package does not mean there will be some open source used within an organization and a policy needs to clearly define what open source can be supported, with understanding there will be a cost to maintain the security of the code.

The sensitivity of the data placed in each of the environments is another factor. If it is decided to place sensitive personal information in every cloud environment, there will need to be increased data protection, including encryption and increased monitoring, for each of those environments. Using the same strategy used for PCI-DSS, restrict the scope of the environments allowed to process the sensitive data to reduce the costs of the additional security capabilities. It may be better to keep sensitive data on-premise in a private cloud infrastructure or use traditional IT infrastructure.

Current Capabilities

Security for Cloud is even more complex with controls at a physical server, virtual server and container level that are built-in or built-on the cloud platform. Many of the security capabilities need support for automation as they move from manual controls to full integration to support a DevOps pipeline. The number of security capabilities are increasing to handle new threats and move towards a zero trust architecture.

Each of these security capabilities need to be designed, built, managed and then compliance checked otherwise we end up with situations where we have seen large amounts of personal data exposed on the Internet or open source software left unpatched with a critical vulnerability. The capabilities of the current Cloud and Security team to support cloud security will influence the transformation costs.

The skills of the current Security team will have an impact with some teams technically mature and others less so. A team with good foundation technical skills such as networking, application development and security architecture will find it easier to transform. The adaptability and motivation of existing Security staff to self-invest in their skills will be important, as the understanding of Cloud native platforms and applications may not come easily — needing perseverance! Re-skilling will reduce the need to recruit expensive and scarce security resources with cloud security skills but then the talent developed needs to be retained through retention initiatives that will require additional investment. Think about ways of recognizing and rewarding personal investment in skills.

Many organizations operate in silos with poor co-operation between security, infrastructure and application development parts of the organization. We have seen Security teams be left behind in a digital transformation as the infrastructure and applications teams don’t engage the security team into an integrated governance process. From the other perspective, the Security team may be still operating in a culture of risk and compliance enforcement rather than understanding their role is transforming to a critical service delivery partner. Digital transformation needs cross-disciplinary teams that closely work together and overcoming the organizational silos may be the hardest part of the transformation.

One of the benefits with DevOps is automation of the pipeline to deliver servers or containers near instantly. However, this needs effective automation of the security controls for orchestrated servers including instant registration of ALL privileged service user IDs (not just root or Administrator) and certificates for TLS communication. If these processes are performed manually today (maybe with spreadsheets), increased investment is needed over an organization that already has tooling deployed. With container platforms, there are many more capabilities built-in but the supporting security services will now need to have greater levels of resilience and support. Even with security tooling deployed, this may require significant upgrades for performance and availability.

Sourcing Strategy

Within many organizations Cloud is driving a change in security responsibilities with security extending beyond the controls within the platform. We are seeing the supporting Security infrastructure being centralized whilst squads are being given increased responsibility to ensure security services are being integrated. We are finding the change in responsibilities for Security, from a 9–5 risk and compliance organization to a service-based organization that has 24x7 operational responsibility, often takes time for the Security team to understand and accept the change. It requires a new set of responsibilities with investment to perform the transformation.

As a wide range of skills are needed to effectively run security services for Cloud, we find organizations may not have the capabilities or it is not effective to run in-house. They look at the option of using Security SaaS or managed security services. However, just because a security service is outsourced, does not remove the need to have an in-house team to provide a business context (to match the hours and response time of the outsourced service) that the supplier will not have. We have found many organizations outsource without building a capability to manage the supplier effectively with a team to provide the overall business and IT context.

Enabling Security Transformation

Unfortunately, often the decisions that determine the costs for security are made without the involvement of the Security team from the fear of increased costs or the fear the Digital Transformation will be delayed. This ends up being counterproductive as this delays the transformation late in the process or can result in a damaging security incident where controls are not deployed.

The Cloud Engagement Hub team has found success comes by removing silos by bringing together architecture, security, operations and application development skills together into an integrated team. There are multiple approaches that range from full organizational change through to creating a competency center outside the traditional IT organization or by simply seating representatives from each organization together to collaborate.

To provide further insight on the change needed to embrace Cloud, read The Unicorn Project from Gene Kim. It is essential reading for everyone going through or supporting digital transformation.