In 2019, more enterprise workloads were executed in the cloud than on premises for the first time.
To be precise: 56% of workloads were executed in the cloud -- either as IaaS, PaaS or SaaS -- compared to 44% on premises (of that, 40% were in the data center and 4% in branch offices).
This tells us that organizations must get serious about cloud threat protection, and that requires tackling two things: protecting cloud-based resources and using cloud-based services to do so. Doing both requires making organizational, operational and funding changes -- plus investing in the right technologies.
Let's address these necessary changes in order.
Cloud threat protection means measuring MTTC
One of the best success metrics for cybersecurity organizations -- and the metric that Nemertes Research, where I work, relies on to measure cybersecurity success -- is mean total time to contain (MTTC) security breaches. MTTC includes the sum of the time required to detect a potential attack, understand that it is in fact an attack and contain it. Nemertes' analysts measure MTTC annually, most recently in our 2019-2020 "Cloud and Cybersecurity Research Study," in which we assessed MTTC for 335 firms in 11 countries, across 24 industry verticals.
The median MTTC across all of the companies Nemertes studied is 180 minutes. We selected the organizations in the 80th percentile and above as our success group. The companies in this group have an MTTC of 20 minutes or fewer.
While it's far from the only relevant metric, MTTC is a good measure of a cybersecurity organization's maturity; cybersecurity organizations with a low MTTC generally have better security practices than those with a higher MTTC.
Practices that correlate with lowering MTTC for cloud-enabled organizations include the following:
- Having staff focused explicitly on cloud threat protection improves MTTC by 41.7%.
- Having a cloud security budget improves MTTC by up to 80%.
- Having a cloud security architecture improves MTTC by 75%.
So far, so good. But what technologies should be included in that budget and architecture?
5 tools for lowering your MTTC
The following technologies correlate with a measurable improvement in MTTC and, thus, should be considered by cloud-enabled organizations:
Cloud-based identity and access management (IAM) provides a platform for single-credential and single sign-on authentication across multiple cloud platforms, and possibly internal systems. Vendors that provide IAM as a service include Microsoft, Okta, OneLogin and Ping Identity. Using IAM as a service correlates with 50% improvement in MTTC.
Cloud access security brokers (CASBs) provide additional security controls on and visibility into enterprise use of cloud resources. They can be in-line proxy-style intermediaries through which cloud-bound traffic passes, or they can be API-based services that are called upon by cloud services for authentication and authorization of user access -- and to which cloud services send monitoring event information on use of the service. CASBs are available from Bitglass, Netskope, Microsoft and McAfee. Using CASBs correlates to 50% improvement in MTTC.
Behavioral threat analytics (BTA), sometimes referred to as user and entity behavioral analytics, integrates multiple sources of data -- such as logs, analytics platforms and SIEM -- to capture and display anomalous behavior of users, devices and systems. BTA examples include Broadcom Bay Dynamics, Gurucul, Exabeam and Splunk. Using BTA correlates to 41.7% improvement in MTTC.
Cloud-based firewalls are virtual entities in the cloud, as opposed to physical devices in physical locations. Most major firewall providers (including Palo Alto, Cisco, Check Point and others) offer cloud-based versions of their services. Most major telcos and cloud security providers -- like Verizon, AT&T, CenturyLink and Masergy Communications -- offer cloud-based firewall services. Using cloud-based firewalls correlates with a 50% improvement in MTTC; 60% of organizations studied by Nemertes had enabled cloud-based firewalls.
Secure Access Service Edge (SASE) tools enable mobile and home users and sites to connect via a secure point of presence to a secured network operator's core network. These tools then apply security policies to control access to resources on premises or in the cloud. SASE products include Cisco Umbrella and Palo Alto Prisma. The use of SASE correlates with a 17% improvement in MTTC.
Beyond the tools: 5 next steps
What does this mean for enterprise security professionals? First, if you don't yet have cloud security specialists, hire them or grow your own via training and certification. This step is essential even if it means increasing headcount in the cybersecurity organization. If you can get there by trimming headcount in other areas, so much the better, but, regardless, having a team in place is the first step toward success.
Second, ensure the cloud security team is well funded. The greatest improvements in MTTC correlate with having line items for this team's budget in both the cloud and cybersecurity budget. Either one is good; both is best.
Third, the cloud security team's first act should be to develop a cloud security architecture and strategy. Which critical technologies listed above do you plan to implement, and how will they be integrated together? This architecture and strategy should include fundamental technology principles that will be used to drive vendor and product selection. It should also generate a roadmap laying out the sequence of procuring and installing the technology.
Fourth, based on that cloud security strategy, architecture and roadmap, the cloud cybersecurity team should begin selecting and implementing the key technologies.
Fifth and finally, teams shouldn't neglect documenting and implementing the cybersecurity operational changes driven by the move to cloud threat protection. For example, cloud security providers need to be fully integrated into an organization's incident response policy.
The bottom line: As workloads move to the cloud, so should the means of protecting them. The era of cloud computing is here. The era of cloud cybersecurity is dawning.