Cloud Security Tool Sprawl Draining IT Teams

Cloud security management issues are increasing the flood of false positive alerts and missed critical issues and contributing to higher burnout rates for IT teams.

These were among the findings of an Orca Security survey of 800 IT professionals across five countries and 10 industries, which revealed more than half (55%) of respondents use three or more cloud providers and 57% have five or more cloud security tools.

The overload of alerts, combined with widespread inaccuracy (43% say more than 40% of their alerts are false positives) is not only contributing to turnover but also to missed critical alerts. 

Cloud Security Alert Fatigue

More than half of respondents (55%) said their team missed critical alerts in the past due to ineffective alert prioritization, sometimes daily. 

“Disparate tools not only create duplicate alerts for the same issue, but they also don’t have insight into the bigger picture, which makes it close to impossible for them to effectively prioritize risk,” explained Avi Shua, co-founder and CEO of Orca Security.

Shua said learning how to distinguish between alerts that do not need immediate attention and those that do requires a considerable amount of skill and experience and is a time-consuming and tedious task.

“With cloud security alert fatigue leading to burnout and turnover, security teams that are already understaffed will increasingly suffer, resulting in desensitization and critical alerts being missed,” he said. “This will inevitably lead to weakened cloud security postures that open the door to potential data breaches.”

The survey found alert fatigue caused burnout, turnover and internal friction. Nearly two-thirds (62%) of respondents said alert fatigue has contributed to turnover, and six in 10 said alert fatigue has created internal friction.

Work Smarter, not Harder

John Morgan, CEO at Confluera, a provider of cloud extended detection and response (CXDR) solutions, said cloud security teams will have to work smarter, not harder.

From his perspective, investigating each and every security alert in a timely manner is simply not feasible as organizations accelerate cloud and multi-cloud adoption.

“Without a new approach, security teams will miss events and alerts that are part of a bigger threat until it’s too late,” he said. “As organizations embark on multi-cloud adoption, they have an opportunity to revisit tools and processes to enable their security teams to work more efficiently.”

He added that understanding the nuance of each cloud service, training on multiple security tools with varying degrees of security coverage while simultaneously enforcing consistent security policies across the entire network is a tall order for any security team.

“Rather than addressing security from the cloud service up, take a top-down approach and define policies and processes that support the business and employ the necessary security solutions that can support it,” he said. “This seems like common sense but it’s often difficult to execute, especially when there are already various security tools and policies in place.”

Gadi Naveh, cyber data scientist at cybersecurity startup Canonic Security, pointed out that cloud environments are becoming increasingly composable.

This enables users to connect thousands of third-party apps and add-ons across multiple interoperable cloud application platforms with limited security controls or governance policy checks.

“This creates an unmanageable workload to vet the applications, establish usage policy and set the right controls for each app,” he said. “The constant flood of alerts desensitizes teams into a false sense of security and erodes the value of alerts that require remediation. Over time, this makes it virtually impossible to adopt a culture of urgency with measurable results.”

Vishal Jain, co-founder and CTO at Valtix, a provider of cloud-native network security services, agreed, explaining that, as the survey suggests, to prevent a constant deluge of security alerts, enterprises have realized that tools across clouds need to be consolidated.

From his perspective, consolidation should happen not only for visibility and to allow “good” alerts to be found, but also for the ability to quickly apply the “right” protection mechanisms across multiple clouds once exposure is found.

Given a multi-cloud context, it can be very challenging to determine where to apply selected controls. Owing to the different tools in each cloud, decisions on security tools configuration for each cloud need to be made: This all complicates the change management process and drives security team fatigue.

“The ideal scenario for enterprises would be to use consolidated, multi-cloud security platforms that simplify the underlying task of managing security in the clouds while connecting visibility to the protection of workloads,” Jain said. “In addition to driving workflow efficiency, these platforms enable a greater level of automation that can reduce needless alerts and manual efforts.”

He said the key to successful cloud security is overall visibility with context across clouds. 

“Visibility alone is not enough, however. Visibility helps drive the protection of vulnerable cloud resources in a standardized manner across clouds,” he said. “Unfortunately, most organizations struggle with this aspect today as security is often built to be cloud-specific, which takes an army of people to manage.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy