Last updated Sep 7th, 2022 by Yoram Gronich

The decision facing enterprises today isn’t whether to move applications and infrastructure into the cloud but which clouds and how many. In their 2021 State of the Cloud report, Flexera found that 92 percent of cloud decision makers have a multi-cloud strategy. Those same decision makers, however, recognize that multi-cloud comes with its own set of challenges. Specifically, Flexera’s report notes that 81 percent of those decision makers view security and compliance as the number one barrier to achieving the full benefits of the public cloud.

Like it or not, those decision makers are right. As clouds become more complex and more pervasive, networks will become unmanageable without security automation. Right now, security is perceived as the weak link in the DevOps chain, and not without reason. Agile application development requires continuous changes, which includes changes to access controls. If it takes days for the network and security teams to review and approve (or deny) those changes, the process breaks down. And that’s exactly what is happening in enterprises around the world.

The solution isn’t to circumvent security. And it certainly isn’t to limit investments in the cloud. Companies initially adopted cloud for cost savings, but realized over time that while they’re not achieving significant cost savings, the cloud can deliver a competitive advantage by accelerating time to market, improve customer satisfaction through faster responses and new services, and meet changing market demands with simple scale up/down capabilities. In an age when most companies see themselves as digital-first, enterprises need the agility of the cloud—but they also have to recognize that the cloud comes with new security challenges.

You can have agility with security

The adoption of multi-cloud and hybrid cloud models doesn’t mean that the data center is disappearing. In fact, we expect to see both on-prem and public/private cloud footprints to be significant for the foreseeable future. As the network expands into the cloud, so does the attack surface. Traditionally, enterprises have deployed more firewalls and switches to secure network points as well as, more recently, network segmentation. But this approach results in added management complexity and cost. Configuring and managing thousands of firewalls and switches is a recipe for disaster and a leading reason why Gartner believes that 99 percent of all security failures through 2025 will be attributable to misconfigurations.

We believe—and our customer experience bears this out—that a centralized, automated security policy solution can deliver security with agility in a hybrid multi-cloud world. With a centralized security management layer that sits on top of all of the infrastructure, organizations can easily visualize, analyze, create, and implement security policies across the entire hybrid network. With a policy-based approach and a central management console that connects to all of the network and cloud platforms – changes can finally be automatically vetted for policy compliance, properly designed and then provisioned. Once automated, security policies can be built into the network change process and integrated with ITSM workflows, so that security changes can be reviewed and approved/denied in minutes instead of days.

The benefits of security policy automation

There are four important benefits to security policy automation:

  1. Bring agility to security, which is a game-changer for enterprises that are struggling to achieve digital transformation, and suffer from changes taking days to implement.
  2. Provide better visibility of security across the entire business, whether an application is hosted in the data center or in any of a number of cloud platforms.
  3. Allow network and security teams to integrate security in the DevOps process without relying on developers to configure those settings.
  4. Facilitate the concept of continuous compliance, where security policies can be quickly updated and consistently applied to meet changing regulatory and business requirements.

Right now, most businesses are stuck between a rock and a hard place: secure but slow, or agile but risky. We’re building a middle ground that balances security with agility through zero touch automation. As Bruce Schneier has famously and pithily pointed out, “Security is a process, not a product.” The goal of every agile organization should be to bring security into its agile development processes, wherever those processes take place: in the data center, in a private cloud, or in any number of public clouds. Only then will enterprises be able to discover the next big thing without becoming the next big target.