Uncovering the True Costs of Cloud (security) and Compliance (Series 2)

In our previous article, "Cost of Compliance and Security in the Cloud - A Scam or Visibility!" we delved into the challenges organisations face when striving for security and compliance in a cloud environment. Today, we'll continue our exploration, shedding light on the intricate web of costs that come with cloud security and compliance. Are these costs justified, or is there more to the story than meets the eye?

The Price of Progress

Over the past few weeks, we embarked on a mission to implement a staggering 710 security and compliance controls across seven key standards relevant to public cloud environments. Our aim was precise: achieve an 80% compliance rate, a significant leap from the initial 15% we started with. However, as we progressed towards this goal, we uncovered some unsettling truths about the costs involved.

Costliest Services - Beyond Computing and Storage 

One might assume that the primary costs in the cloud are tied to computing and storage. However, as compliance percentages rise, the landscape shifts. Shockingly, a significant 40% of our total costs were attributed to threat prevention services and monitoring. Is it possible that cloud providers exploit an organisation's vulnerabilities for profit?

 Network Security: A Cloud Conundrum 

The cloud offers unparalleled flexibility, but network security remains a daunting challenge. Adhering to cloud policies for network security can lead to a staggering 200% cost increase. It begs the question: Is the convenience of the cloud worth this financial burden?

 The Soaring Costs of Security 

As we journeyed towards an 85% compliance score, we encountered a startling revelation: our cloud services costs escalated by a jaw-dropping 300%. At this stage, security became the elephant in the room, dominating the expense sheet.

 The Power of Identity and Access Lifecycle 

Amidst the turmoil of escalating costs, we identified a beacon of hope. The most impactful security controls, those with the potential to thwart ransomware and data leaks, revolved around identity and access lifecycle management. These controls were not only practical but also relatively easier to implement.


 Comparing Standards: A Surprising Discovery 

We also compared various security standards, including SOC-TSP, NIST-SP-800-53-R5, ISO-27001:2013, Azure-Security-Benchmark, Azure-CIS-1.3.0, PCI-DSS-3.2.1, and NIST-SP-800-53-R4. Surprisingly, the Azure security benchmark emerged as the easiest to implement, primarily promoting Azure service consumption. Achieving 90% compliance with NIST R4 controls translated to roughly 60% compliance with ISO-27001 despite ISO having fewer controls.


 The Hidden Costs of Monitoring and Logging 

Another eye-opener in our journey was the hidden costs of monitoring and logging in the cloud. Cloud vendors structure their findings to promote their services, often leading to increased expenses. They also charge for data logging, log movement, and overall network usage. This practice raises questions about transparency and fairness in cost structures.


 Network Challenges and Cost Escalation 

Cloud vendors can impose private endpoints, further complicating network security and increasing costs. Compliance, even a seemingly small increase from 80% to 88%, can lead to a 33% rise in expenses. To meet these stringent compliance requirements, we found ourselves compelled to invest in reserved instances for three years, covering almost all Compute resources. However, the actual cost and licensing per core remained elusive and non-transparent.


Stay curious and apprehensive :

In conclusion, our journey through the complexities of cloud security and compliance uncovered a few critical lessons. Organisations must exercise caution regarding costs, refraining from blind trust in cloud provider scores and recommendations. Establishing a dedicated governance team that weighs the delicate balance between cost and security impact is essential.

As you navigate the intricate world of cloud security, remember that understanding the actual costs is the first step towards informed decision-making. For expert guidance on approaching security policies in major public cloud service providers, don't hesitate to contact Aristiun for a free consultation on reducing security costs or optimising. Stay tuned for more insights into the ever-evolving landscape of cloud technology and its implications for your organisation's security and financial well-being.