4. Too many companies don't know what they're trying to protect.
When organizations decide how to segment their cloud security surfaces, they must first clearly define what exactly they are trying to protect. This is critical because each asset, system, or process will have its own unique risk, and this will determine how it is accessed and protected. Obviously, you wouldn’t build a million-dollar warehouse to store a few hundred cents’ worth of value. The cloud analogy is that it doesn’t make sense to build a ton of security around a cloud asset that is isolated from sensitive systems and doesn’t contain any sensitive information.
it’s incredibly common for organizations to cameroon mobile database a poor understanding of what they’re protecting in and out of the cloud. In fact, most organizations today don’t even have a good understanding of what’s in the cloud or what’s connecting to the cloud, let alone what needs to be protected. For example, the Cloud Security Alliance’s “State of Security Remediation 2024” study found that only 23% of organizations have full visibility into their cloud environments. And an Illumio study from earlier this year found that 46% of organizations don’t have full visibility into their cloud service connectivity.
Kindervag laments that people don't think about what they're actually trying to achieve, what they're trying to protect. This is a fundamental problem that causes companies to spend a lot of money on security without providing adequate protection.
“People come to me and say, ‘Zero trust doesn’t work,’ and I say, ‘What are you trying to protect?’ and they say, ‘I haven’t thought about that yet,’ and I say, ‘Well, then you’re not even close to starting to implement the zero trust process,’” he explains.
5. Incentives for cloud native development are out of sync with reality
DevOps practices and cloud-native development have grown exponentially thanks to the speed, scalability, and flexibility that cloud platforms and tools provide. When security is properly integrated into the mix, things can work out very well. However, Kindervag says most development organizations don’t have the incentive to make this happen, which means that cloud infrastructure and all the applications that run on it are at risk.
“I like to say that people who do DevOps applications are like ‘kings of the road,’ like Ricky Bobby in IT. They just want to go fast,” says Kindervag. “I remember talking to the head of development at a company that ended up getting hacked, and I asked him what he did for security. And he said, ‘Nothing, I don’t care about security.’ I said, ‘How can you not care about security?’ And he said, ‘Because I don’t have a KPI for it. My KPI is that I have to kick my team five times a day, and if I don’t do it, I don’t get a bonus.’”