The unstoppable forces of cloud and agile development are driving momentous changes in how enterprises build, deploy, and run applications. These shifts have many implications – here are four very important ones.
According to the 2018 IDG Cloud Computing Research, 73% of companies have adopted cloud technology, with executives driving their companies to be 100% in the cloud. IDG analysis predicts there will be a continued aggressive shift to cloud technology, and predicts that in 18 months SaaS will be in use at 95% of companies, IaaS at 83%, and PaaS at 73%. Gartner assumes that by 2025 80% of enterprises will have shut down their traditional data centers, compared to 10% today.
RightScale says that 80% of the companies in the cloud have adopted a multi-cloud strategy using multiple providers such as Amazon, Microsoft, Google, IBM, Oracle, and Alibaba. Also, the ease and benefits of creating cloud accounts ensures that having many AWS/GCP cloud accounts or Azure subscriptions is the norm. It is not unusual for enterprises to have hundreds (and in some cases thousands) of cloud accounts.
Gone are the days of a limited selection of manageable data stores (e.g. Oracle, IBM, and MS SQL). Innovations in agile cloud development have led to an explosion of new data store options, with teams utilizing Amazon MongoDB, Elasticsearch, CouchDB, Cassandra, Dynamo DB, HashiCorp Vault, and many, many more. Adding these to object stores like AWS S3 and Azure Blob makes it self-evident that new corporate infrastructures do not have a physical or logical concept of a ‘data center.’
With container orchestration, the typical lifetime of a container is 12 hours. Serverless functions - already adopted by 22% of corporations - come and go in seconds. Data is the oil of the digital era, but in this era, the oil rigs are ephemeral and countless. EC2 instances, spot instances, containers, serverless functions, admins and agile development teams are the countless fleeting rigs that drill into your data.
Is it any wonder that 53% of organizations using the cloud have exposed data online? While all this flexibility and agility is good for innovation and flexibility, it poses new challenges. In particular, we have a problem
A small sample of well-publicized cloud data loss incidents are listed in Figure 1, but we can be confident that the data control problem is set to grow as rapid adoption of cloud platforms and new development techniques continue unabated.
|BleepingComputer||Hadoop Servers Expose Over 5 Petabytes of Data|
|ZDNet||Yet another trove of sensitive US voter records has leaked|
|TheRegister|| Et |
|TechGenix||Another AWS configuration error exposes Dow Jones customer data|
|HealthcareITNews||Hackers are ransoming 26,000 unsecured MongoDB databases, security researchers find|
|Forbes||Massive WWE Leak Exposes 3 Million Wrestling Fans' Addresses, Ethnicities And More|
|CNNBusiness||Verizon data of 6 million users leaked online|
|cyberscoop||Booz Allen Hamilton leaves 60,000 unsecured DOD files on AWS server|
Figure 1: Published cloud breach incidents
Of course, we don’t have just a security problem. Compliance mandates like PCI, HIPAA, Europe’s GDPR, California’s CCPA, Brazil’s LDPD, Canada’s PIPEDA and many more demand extensive security controls for data and audit/reporting of these controls.
As cloud and agile has launched into the mainstream, traditional data center and network management tools are stuck in the past. Practitioner-focused cloud provider tooling is also not up to the task. Markedly different identity and data models exist within AWS, Azure, GCP, and other cloud providers. Access control lists, inline policies, group inline policies, role inline policies, assumed roles, switched roles federation and managed policies all have an impact on what has access to a resource. We must understand multiple cloud provider identity and data models and track access to 3rd party data stores used within the major AWS, GCP and Azure cloud platforms. Where can a company turn when it needs to track data access and movement across multiple clouds, tons of cloud accounts and thousands of data stores?
The Sonrai Security Cloud Data Control service provides a complete risk model of all identity and data relationships, activity, and data movement across cloud accounts, cloud providers, and 3rd party data stores. Sonrai CDC is built on the cloud for the cloud. The service focus is data+identity of all entities that have access to data – across cloud providers and 3rd party data stores. Lastly, the Sonrai CDC service bridges between DevOps and Security teams to: