On the journey to become an Enterprise Cloud company, every large corporation is adopting a multi-cloud approach. Developers want the cloud tools that best address their application needs, and no one cloud provider will deliver all tools to all developers. This is the one fact that dictates that our collective futures are a hybrid and multi-cloud world. And with all the hype in the industry about cloud adoption, one would think that most enterprises are giving their applications to public cloud providers to host. But au contraire! According to ONUG Community members, most large enterprises have just 10% of their applications in the cloud. They want to consume more but the lack of security standards between cloud providers that deliver customers alerts/alarms/events is causing too much pain. Microsoft Azure has Security Center, Google Cloud Platform has Command Center and Chronicle, IBM Cloud has QRadar, AWS has Security Hub. The lack of commonality between these security notification systems is causing a wall of worry that is pausing most from moving forward aggressively into the public cloud.
At ONUG, a few large enterprises have aggressively adopted the enterprise cloud approach as a business platform. They tell of a cautionary tale, and it goes like this. When the number of controls they have to configure is greater than 200, they start to worry. When the number of sources feeding their data lake is greater than 500, they start to worry. When the number of cloud accounts and VPCs approach 3,000 and 5,000, respectively, they are worried. When the amount of data they receive from their cloud provider informing them of the status and state of all of the services they consume approaches 50 Terabytes per day then their operational staff is overwhelmed. They are in reactionary mode and don’t feel in control. They can’t answer the question, “are my applications safe?” This is a very uncomfortable place to be, and they start to throttle back cloud consumption.
As IT staff adopt multi-cloud strategies, they hit the wall of worry faster, thanks to the lack of security notification standardization between cloud providers and increased complexity. As every cloud communicates security alerts differently with different vocabularies, definitions and syntax, it requires dedicated staff to understand and process this information. Organizational bloat starts to occur and the number of tools they use start to skyrocket. This staff depends upon a wide range of tools such as SIEMs to consume this data to deliver metrics that calculate and let them know if they are still within the minimal viable security posture. That is, the point where they can relax. The problem is that most tool providers focus on one or two cloud providers creating huge security visibility gaps between an enterprise’s consumption of multi-cloud services. This creates variability in their minimal viable security posture and puts operational staff in that uncomfortable-feeling zone quickly.
Yes, Splunk has its common information model CIM that normalizes security log information across cloud providers. GCP has Chronicle that normalizes security data to its “Unified Data Model” (UDM) for GCP and some AWS security data. AWS has its proprietary alerting format called AWS Security Finding Format. All provide APIs, some open, some not, that tool providers can consume security alerting information. But none provide multi-cloud open security notifications for all cloud providers. These approaches are all priority, focus on one or two cloud providers and drive innovation only as fast as their engineers. It’s also a way for them to lock customers into their tools.
Having a common set of definitions, vocabulary and syntax for cloud security alerting would not only deliver the assurance enterprise consumers require, it will also unleash competition between tool providers and unlock innovation in this market. In short, it would create a marketplace to proactively manage multi-cloud consumption.
The good news is that the ONUG Collaborative is working on this problem, and it’s called the Cloud Security Notification Framework or CSNF. FedEx, Goldman Sachs, Cigna, JPMC, Microsoft Azure, IBM Cloud, GCP and others are working together to define the CSNF. This is not a hard sell to the cloud providers either as CSNF certainly makes everyone’s lives easier and helps speed cloud security innovation.
CSNF is a big-tent effort; everyone can get involved. Think of CSNF like SNMP: we are creating, in essence, a common management information base around security alerts/events and alarms that will feed a wide range of tools and applications. CSNF is really about the cloud providers delivering greater cloud transparency and the tools to engage in a shared responsibility model.