GenAI adoption has significantly escalated the urgency of cloud security. PwC’s recent Cloud and AI Business Survey revealed that cloud computing budgets are on a steep rise, with only 5% of the companies surveyed, reporting they don’t yet use the public cloud. However, this surge in cloud spending is not without its risks, as major security breaches are also on the rise.
According to Thales’ latest Cloud Security Study, 44% of organizations have experienced a cloud data breach over the last year, with a third of breaches a result of misconfigurations or human error.
Amidst these challenges, businesses are in dire need of a solution that can bolster their cloud security without draining resources that could be invested in AI development. Could FinOps be the long-awaited answer that organizations have been searching for?
Seasoned Engineering leader with over 20 years of experience. He has managed teams of up to 150 people globally and specializes in helping startups scale effectively.
Going beyond the numbers
It's difficult for businesses to manage the data being processed by the cloud without a clear strategy. FinOps is a way to approach your cloud security while managing cloud costs, ensuring its usage is both cost and waste-efficient. Bringing together security, engineering, and financial teams, it defines new ‘best practices’ for organizations to work from.
The variable spending model of the cloud can soon spiral out of control, which is where the financial accountability of FinOps comes into play. But while it hinges on cost optimization, it also brings a wealth of benefits for cloud security.
One of FinOps's central tenets is resource management — comprehensive resource reviews are the best way to identify unused or overprovisioned cloud resources. Addressing these doesn’t just save budgets; it also eliminates security risks that could leave organizations vulnerable. Closing down or folding these workstreams into more robust cloud resources vastly reduces the potential attack surface for threat actors, improving overall security hygiene.
When looking more widely at FinOps, the overarching theme is accountability. This can be financial, but it naturally translates into security. FinOps demands that engineers be transparent, aligning their spending with the wider business strategy. This visibility brings financial benefits but also supports security teams, who can track spend and resources down to specific owners, making it easier for security policies to be enforced.
Furthermore, it encourages tracking data, making unauthorized cloud usage that could indicate a breach more visible. This accountability also optimizes multi-cloud management - with all moving parts accounted for, environments can be managed more efficiently, decreasing the risk of misconfiguration.
The FinOps approach is not just a technical solution, but also a cultural transformation tool for organizational security. The cross-team collaboration it fosters puts accountability at the core of an organization. By ensuring that finance, engineering, and security all work closely together to promote a ‘FinOps first’ approach, the organization guarantees that security is carefully considered in all cloud architecture decisions.
Also, with cost accountability embedded in an organization's culture, individuals are incentivized to follow best practices to ensure their resource responsibilities are not wasteful or a security weak point.
Putting theory into practice
With this in mind, it’s worth noting that how you implement the FinOps approach is crucial to reaping its full rewards. It needs to be introduced step-by-step to become ingrained in organizational culture. This has to start from the base by establishing a cross-company FinOps team.
By including all teams, organizations can ensure equal weighting for competing priorities and that siloed decision-making doesn’t pose security risks or run up costs. Organizing teams as such vastly reduces the likelihood of misconfiguration and, by proxy, unnecessary expenses.
In practical terms, the work of this internal FinOps group could be varied. For instance, embedding cost management tools alongside security monitoring tools is a great baseline to ensure they don’t exist in a vacuum, and both readings are evaluated together.
Enforcing resource tagging is also good practice, as it enables cost tracking and the quick identification of security risks. Setting up budget alerts that detect cost anomalies, which are often accrued when threat actors manipulate security vulnerabilities, like in the case of cryptojacking, is sensible.
These pre-emptive measures should be used alongside automation. By using policy-as-code tools, organizations can automate some aspects of the governance of security and costs. This could be done by setting limits on resources to prevent overprovisioning, applying least-privilege security access as a standard, or mandating encryption and secure configurations across cloud workloads.
But consistency is key
The last and most important step is to ensure that these FinOps principles are consistently applied, monitored, and optimized. If applied continuously and efficiently, the FinOps approach brings significant cost and security benefits. Regular reviews of cloud usage are essential, consistently eliminating inefficient cloud resources and boosting overall security hygiene simultaneously.
Not only does it help organizations avoid unnecessary costs, but it also addresses security vulnerabilities immediately, providing ongoing reassurance of the system's robustness. Ultimately, relying on FinOps is not just a strategy, but your best bet against the many cyber adversaries. It's a comprehensive approach that not only manages costs but also enhances security, making your organization more resilient and secure in the face of evolving cyber threats.
We compiled a list of the best cloud storage providers.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.