The past week had been loaded with articles and surveys about cloud security. There has been a great interest in talking about whether having the applications and data in the cloud fully or having an hybrid approach is the right way to go. In addition, there were discussions about encryption of data and when to do that. I was reviewing all these information from a quality and testing standpoint to sharpen security testing strategies.
One of the interesting takes on cloud and security was that the cloud is being shared by multiple clients, and hence it is relatively secure. The argument is that if an issue happens, it would affect everyone and hence the risk mitigation will happen for everyone. While this can be true, not all enterprises would view that in the same way. For example, I could think that a cloud security breach is a double-whammy, because I pay for the service and my provider that I trusted upon let me down causing me loss of data and money, whereas if I hosted the application and data myself in private infrastructure, I can take responsibility for what I did and what I didn’t. The ideal solution is probably somewhere in between with a hybrid approach, but the jury is still out there.
Encryption of data was another interesting topic. People talked about encrypting the data in motion, data at rest, and data while it is being processed, towards a zero trust goal. Encryption standards and protocols are constantly evolving, and it’s important to keep upgrading. But as I wrote a couple of days back, even basic security practices like software patches are not being properly done by enterprises, so it would be interesting to note if enterprises are following up on the encryption protocols and standards. Last month an article said that fatigue is an important cause for security updates slipping through, and lack of expertise as well. This week, people are talking about shortage of personnel with even basic cloud skills.
Apparently it looks like enterprises need to do a lot to upgrade their security posture, and the right thing to do as everyone agree is to address it at the board level, for which they say that the CISO needs to be talking to the board constantly to make things happen. I agree.
I would continue to watch the security space from quality and testing perspective closely.
Feel free to reach out to me if you would like to chat.