As tech companies continue to lay off employees and cut budgets, data center managers will have to figure out how to get the most bang for their buck when securing cloud environments.
Even the largest companies are slashing costs. For example, Meta announced a $4 billion cut in February, which included data center budget cuts.
IT budgets are either flat or falling, said Juan Orlandini, CTO at Insight North America. “What we are seeing as a general trend is more scrutiny on the current spend levels.”
Meanwhile, the security demands are higher than ever. According to a recent survey by computer and network security company Coalfire, 53% of security executives say that an expanded attack surface created by cloud migration is their biggest security concern.
And Check Point Research reports a 48% year-over-year increase in cloud-based cyber-attacks in 2022.
The threats are growing faster than companies can keep up, said Holger Mueller, vice president and principal analyst at consulting firm Constellation Research.
“You have to be a $5 billion or larger sized enterprise to afford the security team to stay on top of threats,” Mueller told Data Center Knowledge.
Flat security budgets are hurting data center managers’ ability to defend their cloud infrastructure, said Nigel Gibbons, associate director and senior advisor at security consultancy NCC group. They’re facing security breaches, downtime, inability to meet compliance requirements, and staffing challenges.
But there are ways to maintain, or even improve cloud security, without significantly increasing costs.
There are some obvious solutions that most companies are already doing. For example, second-tier cloud providers and colocation services can often offer better deals if their use cases meet your requirements. Automation is helping many data center managers reduce their cloud security costs as well, especially if they learn the tools that are provided as part of their cloud hosting provider’s service. And upskilling existing employees can help companies reduce the cost of finding new, experienced cybersecurity staff.
But there’s a lot that data center cybersecurity teams can do to gain more return on their cybersecurity investments by focusing on core issues. That includes prioritizing spending based on risk and carefully eliminating redundancies.
Risk-based prioritization
Data center managers should identify the most critical security risks and prioritize security measures accordingly, said NCC Group’s Gibbons.
“Focus on securing the most important data and applications first, and allocate resources where they are most needed,” he said.
This can be a less expensive way to improve security since you’re focusing on the biggest risk reduction opportunities first.
But in the long term, it can lead to a short-term focus on ad-hoc solutions that might not be part of a bigger security strategy and could end up making security worse.
Another way to prioritize is based on long-term security needs.
For example, the single biggest cloud security challenge today for data center managers is the move to zero trust, said Dion Hinchcliffe, VP and principal analyst at Constellation Research.
Switching to zero trust is expensive, and so is maintaining the zero trust posture afterwards.
“All of our networks are designed to be open by default,” he told DCK. “That’s the exact opposite of zero trust.”
Switching everything over could take years, but government requirements and customer demand make it imperative. “It’s the 800-pound gorilla running around security,” he added.
There are a lot of up-front expenses and enterprises might be forced to migrate to different cloud providers or use expensive third-party add-ons to move to zero-trust.
“The public clouds were never designed for zero trust,” said Hinchcliffe. “And it’s their code, not yours. You can’t control those machines, so you can’t make some of their things ever be zero trust.”
And when it comes to third-party security providers, he said, the general rule of thumb is that the more you spend, the better they are.
Then, once a data center’s cloud environment is operating on zero trust principles, there will be ongoing costs to maintain that level of security.
“You’re essentially trusting nothing on the network,” he said. “You're constantly re-authenticated, which actually creates a lot of new cloud traffic.”
But data centers don’t need to move everything to zero trust at the same time.
They can start with the highest-value systems and data, secure those, and then move on to the rest as time and budgets allow.
This creates the best of both worlds — you’re prioritizing the highest-value security projects, while keeping long-term security strategies in mind.
Get rid of redundancies
When faced with tight budgets, a company needs to make sure it isn’t paying for too many tools or services.
Organizations often have multiple tools which overlap to some degree or another, and those could be reduced in number, said Insight’s Orlandini.
“It’s likely that reducing the number of tools will also free up budget that can be re-invested in training or better implementation of the remaining tools,” he said.
Some amount of overlap might be necessary, but it’s important not to take it too far.
Overlapping isn’t necessarily bad, said Ian Grobel, managing director, technology transformation practice at Ernst & Young.
“But some enterprises take it to a ridiculous degree,” Grobel told Data Center Knowledge. “Wearing two sets of suspenders and three belts only increases your complexity.”
There is also the SaaS evolution of the old “shelfware.” Back in the day, when companies would buy expensive enterprise software packages, they were often too complicated to install, and would therefore sit on a shelf until people got around to actually using them. Sometimes, nobody ever did.
Today’s variant, said Grobel, is that companies sign up for SaaS tools, identity-as-a-service platforms, or other services — then use only 10 or 20 percent of their capabilities.
By learning how to use the other features of the technology they’re already paying for, companies will, in effect, be getting more security for free.
In particular, many companies don’t pay enough attention to what their cloud providers are offering, especially when new tools are being rolled out all the time.
“I think that a lot of enterprises don’t exploit enough of the hyperscaler-provided tooling that is out there,” he said. Instead, they turn to outside vendors to provide the same services, paying money for features they could have gotten at no additional cost or for a comparatively small upgrade fee.
Due especially to the cloud providers' access to security data, they are very well positioned to offer AI and automation tools for things like security reviews and vulnerability scanning, he said.
And if they don’t offer it yet, they soon may. So, by the time a company goes through a vendor selection process, does the trials, installs the new security technology and integrates it with their systems, their cloud provider’s service may be ready for use.
