CSA Survey Suggests Cloud Security Is Improving

New research suggests the overall state of cloud security continues to improve at a time when more organizations rely on multiple cloud service providers.

A survey of 1,900 security and IT professionals published this week by the Cloud Security Alliance (CSA) in collaboration with AlgoSec, a provider of network security tools, finds only 11% of respondents said they encountered a cloud security incident in the past year. The most common problems encountered were issues with a specific cloud provider (26%), security misconfigurations (22%) and attacks such as denial-of-service exploits (20%).

When asked about the impact of the cloud outages, more than a quarter of respondents said it took more than half a day to recover.

Despite growing confidence in cloud platforms, however, security remains a major area of focus. Top areas of concern include network security (58%), lack of cloud expertise (47%), migrating workloads to the cloud (44%) and insufficient staff to manage cloud environments (32%). In all, 79% of respondents noted some kind of issue involving IT staffing.

In the report, 52% of respondents reported they employed cloud-native tools to manage security as part of their application orchestration process, with half (50%) using orchestration and configuration management tools such as Ansible, Chef and Puppet. Less than a third (29%) said they used manual processes to manage cloud security.

Less clear, though, is who within the IT organization is responsible for cloud security. More than a third (35%) said their security operations team managed cloud security, followed by the cloud team (18%) and IT operations (16%). Other teams, such as network operations, DevOps and application owners, are all below 10%, the survey found.

John Yeoh, global vice president of research for the CSA, noted that responsibility for cloud security is evolving within most organizations. Despite higher levels of automation, most internal security teams are struggling to keep pace with the rate of change in cloud computing environments, he said. That rate of change is only going to increase as organizations start to employ a wider variety of cloud computing platforms, Yeoh added.

Of course, the biggest challenge organizations encounter in the age of the cloud is the issue of shared responsibility for cloud security between organizations and their cloud provider. Application developers that provision infrastructure-as-code tend to make assumptions about the level(s) of security offered by the cloud service provider. In reality, the cloud service provider only secures its own infrastructure. Responsibility for securing the rest of the environment resides with the organization that deployed the application.

Asher Benbenisty, director of product marketing for AlgoSec, noted that responsibility also extends to the network infrastructure organizations rely on to access those cloud services.

The CSA report suggests cloud security is, overall, in much better shape today than it was just a few short years ago. Cloud computing may have even reached the point where those platforms are more secure than on-premises IT environments. The challenge, now, is making sure the policies and processes required to keep those cloud platforms secure remain in place.

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 282 posts and counting.See all posts by mike-vizard