It’s people that matter: cloud security compromised by failure to cooperate

Headlines on relationships often escape tech media. ‘Communication failure,’ however, applies outside the digital world too. As recent research shows, failure to cooperate causes a trove of problems from security issues to business-level issues. Why? Local and cloud teams find it hard to understand each other.

Fueled by over a year of in-home working, businesses rush to the cloud. With decision-makers in major economies seeing cloud adoption as necessary, a smooth transition is as important as ever.

However, a recent report by Enterprise Management Associates (EMA), an IT and data management firm, and BlueCat Networks shows that as little as 28% of companies are fully satisfied with benefits from their cloud investments.

EMA’s report claims that networking between different teams is the sticking point as companies fail to integrate cloud teams with traditional network infrastructure at different levels, be it design, implementation, or operation. 

Professionals interviewed for the survey claim that issues with DNS or IP addressing can add a whopping five years to a multi-million-dollar project’s timeline. Lack of collaboration is pointed to as a crucial cause for such issues.

It’s a mistake to think that collaboration means one side of this divided world is right and the other one’s wrong,

Andrew Wertkin.

Security concerns

A Survey of over 200 networking and cloud professionals shows that a staggering 74% of enterprises have experienced security and compliance issues due to insufficient collaboration between local and cloud teams.

Even though security-related downtime and compliance violations are the most frequent security-related problems, somewhat worryingly, 26% of companies experienced data leaks or data theft due to compromised network transition.

As the report indicated, the true scale of such cases is likely far greater since security-related issues are communicated on a need-to-know basis.

A network architect described to EMA an issue he experienced at a $120 billion bank when the network team and cloud team failed to collaborate. A problem was discovered when a penetration tester found issues in the cloud previously thought secure.

Operational issues

Researchers claim that hindered communication resulted in 89% of enterprises experiencing IT issues and 82% suffering from business-level problems caused by failure to integrate different companies. The most common issues were application and service problems and end-user productivity loss.

Interestingly, the strain caused by lack of collaboration caused issues with talent retention. As one of the respondents working for an $18 billion financial services company told EMA, time constraints push people towards bad decisions while complicated systems are increasingly difficult to manage.

Andrew Wertkin. An excerpt from a YouTube video.

One of the respondents noted that even if the upper management is entirely on board with cloud adoption, going down a tier or two paints a clearer picture. Managers are unwilling to employ new modes of operation. That does not necessarily translate to ill intentions but to people sticking to what they know best.

According to Andrew Wertkin, an expert in cloud tech and CSO of BlueCat Networks, unintentional animosity stems from a history of relationships within the industry. We sat down to discuss the origins of the broken relationship and how to fight it.

Over two-thirds of companies report having security issues over fractured collaboration. What sort of security concerns over cloud adoption do companies need to consider? 

Some of it is just a lack of common processes. Sometimes, it’s governance when there are too many people with their hands in their pot. And one person makes one small change and inadvertently creates a public endpoint to a file, and the world goes nuts. So there have been naive issues, meaning things that never would have happened with the common methods of governance. 

I think collaboration is a huge part of that. This is an area where you see a lot of enterprises combining traditional IT practitioners and security practitioners. There used to be two completely separate organizations, and the security team was governing what was being done by the infrastructure teams and the application developers. But the difference with the cloud is the toolsets, and the capabilities aren’t necessarily distinct. So there’s a real blending of network and security. 

That led to interpersonal issues and, in some cases, a lack of respect or even not wanting to work with each other,

Andrew Wertkin.

The report shows many problems are related to an inability to cooperate. It’s an obvious question, but why is that? I mean, why can’t teams cooperate? How does this sort of process happen in the first place?

Part of it’s just the history. Many of these cloud teams started working outside of the central technology organization with an assumption that if they do stuff in the cloud, they can do it faster. In other words, somehow, central services work too slow and meeting the requirements around governance and compliance, and security was a hindrance. 

We can do stuff better in the cloud, and many companies have moved beyond that, but I think that was the beginning of this. That led to interpersonal issues and, in some cases, a lack of respect or even not wanting to work with each other.

Over time, some companies on version four or version five of their cloud architectures stopped speaking to the central team, trying to understand the cloud requirements. Step two was a separate central organization that was responsible for the cloud domain. But the root cause was they started separate and with an assumption that they can get stuff done faster.

And if you take all of the restraints off of app developers, they can do stuff faster. That doesn’t mean it meets the broader requirements, though. Anybody can do something faster in a sandbox. 

That doesn’t mean it scales, that doesn’t mean it’s secure, that doesn’t mean it meets the overall organizational requirements. To some extent, this represented avoiding corporate requirements. So, in other words, you might have met your user requirements, your functional requirements, but you’re not going to meet your nonfunctional requirements.

Image by Shutterstock.

The report emphasizes a unified approach and collaboration. And I was wondering why is that? There’s a lot of focus on human collaboration, which implies there’s no problem with the technology but with interpersonal relations between different teams within a single company. And I was wondering whether the actual problem lies within the technology itself rather than people?

The reality on the technology side is that you can’t apply the methods and technology you’ve been applying in the sort of on-premise domain to the cloud and expect it to work. And conversely, you can’t take what you’re doing in the cloud and apply it on-premises and expect it to work. Different architectures solve different requirements. 

And the fact that we’re going to have different sub-architectures and these different domains meeting the exact requirements leads people to believe that they can do it separately. Bringing these teams together and creating collaboration requires a sort of mutual understanding since you’ve got different skill sets on both sides. There needs to be a common understanding of how requirements bubble up to meet the overall requirement, for instance, around security.

Peoples’ issues tend to make collaboration harder, is what we found out. You’ve got a set of experts working in their domain, and perhaps they don’t have enough respect for the knowledge of the group of experts in a different domain. And that’s just a people thing. Peoples’ collaboration is essential because this doesn’t mean the cloud team will do everything the way the on-premises team wants them to. And it doesn’t mean that the cloud team’s going to do whatever the hell they want. 

The last time we talked, we concluded that this transition to the cloud is inevitable. And apparently, all teams will have to manage this. And I was wondering, how do you see this happening? If there’s a massive problem of teams unable to collaborate, how can businesses solve it?

We’re starting to see that collaboration, and part of that is just reorganization. There needs to be somebody responsible for the overall architecture and the overall security posture of the organization from a technical level, driving the collaboration across the team. 

The touchpoints need to be early in the planning stage. And the teams could go in their own directions on the build stage, as long as being governed by that overall planner or architecture. That seems to be what those that are having success are pushing on. Cloud teams are embedded in this digital business, but there’s the appropriate executive-level governance across the teams so that people don’t just go off and work in a non-collaborative way. 

In the world of the cloud, it is so easy to adopt a service because it works. But if you roll yourself into a potential downtime or disruption, how do you mitigate this on-premises? It might be a long testing QA process and more processes to back out the change. If it works – fantastic. But one of those small changes can create massive disruptions.

The point I’m trying to make over and over again is that it’s a mistake to think that collaboration means one side of this divided world is right and the other one’s wrong. It has nothing to do with right or wrong and has everything to do with taking the wealth of experience on both sides and determining the best architecture and best practices to meet our overall objectives on both sides.

More great stories from CyberNews:

‘Incognito mode’ doesn’t hide your browsing history. Here’s why

How Estonia is using military service to bolster cybersecurity skills

DeFying scammers: what are the main issues facing DeFi in 2021?

Why it’s good when hacks make the news

Dark side of encrypted chat apps: market for counterfeit goods and hacking tools

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked