Relearning past lessons in assessing cloud risk
Those who do not learn from history are doomed to repeat it -- even when that history is only about a decade or two old, according to one security analyst in this podcast episode.
Enterprises have forgotten even recent history when it comes to assessing cloud risk, according to one security analyst, who hopes the CrowdStrike outage will prompt at least some of them to dust off past eras' lessons learned about IT resilience.
Chris Steffen is vice president of research for information security at analyst firm Enterprise Management Associates. He previously held a variety of IT leadership roles at companies, including HPE and DXC Technology.
On the day of the CrowdStrike incident in July, he posted on LinkedIn, "Not trying to kick anyone while they are down, but those that equate resiliency with public cloud computing really need to re-evaluate those beliefs, especially for mission critical workloads. The outages being reported today were some of the exact same issues that we have seen before, but -- as an industry -- don't seem to learn from."
In this episode of IT Ops Query Season 2: The State of SecOps, Steffen got more specific about the lessons he had in mind.
"I was at Black Hat not that long ago, and I was chatting with [a] younger person, and I told them that this would never have happened to me when I managed a data center environment," Steffen told podcast host and TechTarget Editorial's Beth Pariseau. "We were striving to be five-nines, [meaning] out of a given year that you were up 99.999% of the time, which translates to several seconds of outage a year. … I mentioned that to this person, and they really had no idea what that was."
In the cloud computing age, infrastructure reliability has largely become someone else's problem, Steffen said, until it isn't. Meanwhile, many enterprises with a low tolerance for risk have also forgotten the shared responsibility model of the cloud, he said.
"I have done research for the last two, three years on this specific question. And every year, about 7% of all the respondents -- and we're talking thousands of people over the years -- have come back [and] said that 'the security of my infrastructure is the responsibility of the cloud service provider,'" according to Steffen.
Chris SteffenVice president of research, Enterprise Management Associates
There's no turning back the clock. But Steffen said he'd like to see companies make a more cogent assessment of cloud risks before jumping into services that expose them to potentially disastrous outages.
"[I'm] not dissing on cloud at all," he said. "I am just concerned that people are utilizing cloud without really fully understanding the advantages and disadvantages of going to that kind of environment."
Overall, however, Steffen said SecOps has improved over the years, especially when pushed by regulations such as the SEC's four-day disclosure rule for cybersecurity breaches. Generative AI also has Steffen optimistic about the future.
"Having an AI bot distill a CVE into pointy-haired boss language; sending it out to an executive; and saying, 'Here's what's going on, here's what we're doing about it, and here's why you care' -- that's something that a tinfoil-hat type, a practitioner, now doesn't have to do," he said.
Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.