When Microsoft launched O365 a few years back, the biggest benefit for the organization was cost-saving, enhanced collaboration, and simplified information exchange. The cost-saving aspect particularly accelerated the transition as O365 got into the action list of CFOs and COOs who were looking for higher flexibility and ROI on IT investments. However, the security angle added friction as the majority of enterprises thought that Microsoft was fully responsible for security, which was not true. To set the right expectations, Microsoft came up with a Shared Responsibility Model where it was responsible for security and availability of the infrastructure and service, but not for the security of application due to misconfiguration or error from a user etc.
Fig: Shared Responsibility model (Source: Microsoft)
This opened the gates for a new category of security provider called CASB (Cloud Access Security Broker). CASB providers helped organizations to build and orchestrate a very consistent framework of policy and controls across different SaaS services.
We see a similar trend in cloud-native application space where products like Dockers, Kubernetes, and services like AWS EC2, EKS, Fargate, Azure Functions etc. are making it possible to build a cloud-native planet-scale application.
This is letting product teams build and iterate on applications at lightning speed giving them the first-mover advantage and quicker time to market. In addition, these technologies are lighter and require a lower IT footprint, reducing the overall cost. Some companies have taken this plunge heads-on but the majority are either contemplating or implementing it in their development environment not sure about taking it to production. Again security shows up as the biggest concern because most provider companies have a Shared Responsibility Model which puts the onus on the company consuming the services.
Some of the key concerns (not in order) that we hear from enterprises are:
Discovery: how do I get an inventory of different apps running in my infrastructure - multi-cloud or hybrid
Non-supported app: how do I ensure that there are no unsanctioned apps (e.g., crypto-mining) or malware running in the infrastructure
Compliance: how do I implement micro-segmentation to get compliance
Misconfigured app: how do I ensure that there are no misconfigured apps in the infrastructure (hybrid and multi-cloud) that might lead to data exfiltration
Activity and Access Mgmt: how do I ensure that someone is monitoring the activity and access rights or users, admins and super users who might use their privilege rights to exfiltrate data
Visibility: how do I get an understanding of what’s going inside containers, which are the building blocks of a cloud-native app but are ephemeral in nature
Enforcement across multi-cloud: how do I enforce policies and controls consistently across different public clouds (e.g., AWS, Azure, GPC) and my private cloud
At Araali, we have been ruminating on these questions and are working on it. We want to create a security paradigm that brings comprehensive security yet is simple to implement and has a low TCO over its lifecycle. It will benefit both dev to keep focus on feature velocity, SecOps to achieve zero trust, and CFOs to keep cost in control.