Right now, cloud assets are raining down on us, and cyber professionals are struggling to keep their IT environments dry.
Ok, maybe we’re stretching that metaphor a little far. But the fact remains that we’ve passed the Cloud Tipping Point: 52% of VMs now reside in the cloud. The majority of businesses are running on cloud, hybrid or multi-cloud environments — in fact, cloud adoption in any form is over 96% — and container usage has become mainstream.
The implications of this change are significant: it’s becoming increasingly difficult for organizations to manage cloud assets effectively. And as cloud visibility decreases, the risk of cloud-related security incidents rises.
WHY IS CLOUD ASSET MANAGEMENT SO HARD?
Asset management can be tricky at the best of times, but cloud asset management adds another wrinkle because cloud assets are:
- Intangible
- Nearly unlimited in scale
- Liable to change frequently
- Not always centrally located
- Deployed very quickly
- Difficult to monitor without specialized tools
You may find yourself using a separate, vendor-provided security tool for every cloud asset you have. More workers might be accessing your cloud assets from more places, including unsecured WiFi. Your cloud instances may be hosted on a public cloud server.
Cloud hosting also means that security teams can no longer realistically maintain oversight over all assets. The cloud has enabled enormous flexibility, but that comes with challenges for control. Your cloud assets might suddenly double as more instances get spun up and down. And more cloud-based software can be added anytime, by just about anyone.
In short, cloud asset management is so difficult because cloud assets simply don’t operate like traditional device assets. Traditional inventory approaches (which already struggle to cope with device inventories) don’t always deliver.
WHAT DOES THIS MEAN FOR SECURITY?
The quick takeaway? This isn’t making cybersecurity any easier.
Cybersecurity asset management is based on the idea that to address security issues, you must discover security gaps. To do that, you need a comprehensive asset inventory — which is difficult with cloud assets. As one industry commentator puts it: “You won’t be physically inside of your cloud provider’s datacenter… you can’t secure what you can’t see!”
In fact, our recent research study with Enterprise Strategy Group (ESG) found that 75% of organizations have experienced serious cloud VM security incidents as a result of cloud visibility gaps.
This also has implications for cloud asset compliance. It’s challenging to assess and enforce cloud compliance within those environments, particularly when you have minimal direct oversight. Misconfigured assets or overly permissive access rights can expose data; public cloud servers such as AWS may not be secured to industry standards, requiring extra legwork to secure your assets.
On-premise tools aren’t delivering the visibility or management required for these new cloud environments. Since traditional asset inventories take 89 hours, they can’t keep up with the speed of the cloud or provide the required level of visibility into such a malleable environment.
WHERE DO WE GO FROM HERE?
To secure cloud environments, you need to start by addressing cloud asset management challenges. After all, how can you secure something if you don’t know you’re responsible for it?
That means finding or building asset management tools that are designed to keep up with the pace of the cloud, including those that can automate low-level policy enforcement for you. It also means adjusting your team’s workflow and responsibility to account for the proliferation of these new types of assets.
For more information on the state of cloud asset management, download our eBook here.
Nathan Burke is the Chief Marketing Officer at Axonius. Passionate about bringing new technologies to market to solve real problems, he has held marketing leadership roles at Hexadite (acquired by Microsoft), Intralinks, MineralTree, CloudLock (acquired by Cisco), and is a frequent speaker and contributing author on topics related to the intersection of collaboration and security.