Race to Cloud Continues Despite Security Concerns
After a year of shifting to the cloud at a dizzying pace, it seems that trend shows no sign of slowing down. Organizations continue the shift to complex cloud environments, though many find providers’ native security controls fall short of their needs.
More than half of the organizations surveyed for the State of Cloud Security Concerns, Challenges and Incidents report from the Cloud Security Alliance (CSA) and AlgoSec run 41% of their workloads in a public cloud, an uptick from the 25% that were running about the same portion of their workloads in public clouds. The report maintains the continued upward swing is bolstered by the increase in remote workers that started last year.
Valtix CEO Douglas Murray doesn’t see cloud adoption slowing any time soon. “In 2020, spend on public cloud infrastructure exceeded on-prem for the first time,” he noted. “It is clear the cloud has won and is now achieving escape velocity.”
Damon Dean, chief product officer at OneLogin, called the results “entirely consistent” with what his company has seen – “a dramatic increase in customers developing cloud-first or even cloud-only workforce deployments.”
The report’s findings indicate that a lot of organizations are still using legacy and hybrid environments, and are seeking to establish uniform controls across the various environments. For example, about half of those surveyed said they were using virtual iterations of firewalls from third-party vendors as their network security controls. Nearly three-quarters, or 71%, are using additional security controls from cloud providers, a notable jump from the 58% reported in 2019.
“We see ‘the bookends’ here,” Murray said, pointing out that some organizations “are adamant about selecting cloud-native offerings from the CSPs and emerging vendors, while others try to adopt virtual versions of their on-prem provider of choice.”
The choice is likely to depend on who’s doing the deciding. “The less glamorous reality is that cloud admins are more likely to use native cloud controls and security teams are more likely to use their existing current security infrastructure. It is what they know,” said Chris Morales, CISO at Netenrich. The “already there variable” likely exerts influence, as well.
“Organizations already have an existing license with a current security vendor, and adding virtual firewall appliances to cloud infrastructure is the path of least resistance and cost to the security team,” Morales said.
In reality, of course, the public cloud is different from a traditional data center. “The number-one concern noted in the report was network security,” Murray said, so this is front of mind for companies migrating to cloud.
The findings are “positive news,” said Trevor Morgan, product manager at comforte AG, but, he warned, “the assumption that somebody, somewhere else, is handling cloud data security often leads to catastrophic results, including some well-publicized incidents and breaches over the past few years.”
Even though basic security controls are included with cloud service, organizations often learn a hard truth: that “cloud service providers aren’t responsible for their customers’ data security,” Morgan said.
He expects that as more businesses “become aware of their responsibilities with data privacy and of the potential risk involved in security complacency, they will begin proactively to ask the right questions and seek the best methods for securing their own data in the cloud.”
The research also showed that supplementing the workforce is top of mind for more organizations as they select security tools. Work from home requires them to support workers in a complex environment. Many security staffs are insufficient and lack knowledge of the cloud. Three of the top four benefits organizations are seeking from their security management tools center around proactively detecting risks and automation.
“These types of tools can supplement the challenges many organizations are experiencing with lack of expertise (47%) and staff (32%) as well as improve visibility as they move toward an ever-changing cloud environment,” the CSA report said.
“It is an inevitable scenario of tools built for a workforce of skilled technical staff that simply does not exist in the volume necessary to leverage those tools,” Morales noted. He added that “with limited people to perform what is an overwhelming volume of labor, optimization and efficiency become a higher priority in tool selection.”
But even with “intelligent” tools meant to reduce workload, “there is still, at some point, the need for human decision making,” he said, explaining that the best AI still lacks the ability to think as analytically and creatively as human analysts do. “Security is half science and half art,” Morales said, especially when it addresses incident resolution and critical decision making, advocating for a blend of automation and human analytic thinking.
Organizations bent on cloud should adopt a different mindset and strategy for security, said Confluera CEO John Morgan, since the pace of application and network deployment “is much higher with ephemeral workloads and infrastructure-as-code in the cloud.” Security tools and processes needed to keep up with that pace must change, he said, and added that “the strategies involved require security to be inserted into a shift-left and runtime security model; with more emphasis on build and deployment-time security than was seen in the past.”
Yves Audebert, co-CEO and co-founder of Axiad, advised first considering how to combat the root cause of those security risks in the cloud. “Utilizing mutualized systems can be beneficial, but can be increasingly dangerous when you’re managing all your credentials from a mutualized cloud platform,” Audebert said. “If a hacker gains access through host-jumping to your credentials, it’s game over.”
And Morales warned against “viewing the attack surface as silos based on deployment model.” That, he said, “is a fallacy that creates gaps in coverage.”
