By Jonathan Bregman, Sr. Product Marketing Manager, Prisma Cloud
Engineers love to build, and when it comes to cloud security, some DevOps teams try to cobble together their own solution from a combination of cloud-provided and disparate open source products. Before you invest too much time and too many resources into a DIY security project, here are some things to consider.
1. It Will Cost You More Money
If your goal is to save money, you need to ask yourself whether using siloed and basic security monitoring products will provide the necessary breadth and depth of security needed to keep your cloud environments secure. Data breaches today cost organizations over $4 million on average. This cost alone far exceeds the price of buying a production-ready, enterprise-proven solution.
Your operating costs will likely be higher too. Before building your own, estimate the cost of running everything you need. By the time you add it all up: database service costs, web and app servers, alerting, and so on, including development and support costs, the total will most likely far exceed a turnkey solution.
2. You’ll Waste Precious Time
Your technical resources are precious and scarce. If you’re considering building your own cloud security solution, you need to first think about the high opportunity cost of dedicating development resources to building out a tool vs. continuing to build out your own product. Before you start down this path, consider the following questions: Are you adding to your own company’s IP? Will the tool add differentiated value to your business? Is the cost of the tool more than what you could make by dedicating resources to building new features into your own product or business instead? Does your team have all the skills necessary to successfully build a complex security monitoring and alerting solution?
3. Don't Underestimate Long-Term Support and Maintenance
It seems like every year cloud service providers release several new security tools and capabilities. Simply put, it requires a full-time team just to understand what each one does and build the right API integrations. Then you need the underlying cloud security expertise to know what types of policies to build and how to process the cloud flow logs. How long will it take to update your tool when cloud providers update their APIs or introduce new services that your teams are using?
4. Can You Afford the Technical Debt?
Too often, internal tools are rushed and quickly patched together, which creates technical debt that will eventually need to be addressed. If you’ve decided to go down the path of building a new tool, keep in mind that your team will need to make the right design decisions to ensure the tool has necessary features to remain continuously available, resilient and secure. You will need to be prepared to avoid letting your timeline force you to make tradeoffs that create technical debt or push it down the road. The challenges of scale will creep into self-built tools as workloads increase in size and complexity. Is your team prepared to learn along the way when the security of the products and data collected is at risk?
5. Don’t Forget Multi-Cloud Support
Finally, it is rare these days for an organization to stay all-in with just one cloud provider. Regulators and developers often push their desire to move into multiple public clouds. Will your homegrown tool be able to support all clouds used by the various teams within your organization and in what time frame?
The Bottom Line
Be realistic about your cloud security goals. At first glance, cloud service providers offer an appealing menu of services that can, with enough time and resources, be woven together into a fairly comprehensive security solution. That said, does your organization have the time, expertise and reliable support required to begin on such a project? Can you wait months to years for it to be built out? No matter which path you choose – DIY or ready-to-launch – ensuring you have complete, continuous visibility is paramount to effectively managing your security responsibilities in the public cloud.
Learn more about how a comprehensive cloud security solution can help provide visibility and control over your users, apps and data.