Survey Surfaces Raft of Cloud Security Challenges
A survey of 154 North American IT and security decision-makers conducted by Forrester Consulting on behalf of Sonrai Security and Amazon Web Services (AWS) published today found 96% of respondents acknowledged their organization faced security incidents in the last 12 months; 98% of them involved identity-related security challenges.
The top issues reported are an internal incident involving a public cloud (54%), compliance or regulatory sanctions (54%), an attack involving third-party partners (49%), data loss because of cloud misconfigurations (49%) and an external attack (47%).
More than half of respondents (56%) also said machines and other identities not attached to individuals are out of control in the cloud. A full 82% said they expect to have invested in cloud infrastructure entitlement management tools and platforms to address this issue by next year, with nearly three-quarters (74%) reporting that cloud migration requires a different approach to identity access management (IAM). A full 79% said increased cloud migrations will require new security solutions.
Overall, the survey found organizations are employing an average of six tools to secure their clouds today. The most widely employed tools include analytics and threat intelligence (55%), identity governance and entitlement (55%), key management (53%), threat monitoring (52%), security controls provided by a cloud service provider (51%) and cloud access security brokers (50%).
Significant security challenges include legacy tools that don’t integrate well with dynamic cloud environments (45%), overly complex access control policies (40%), regulatory compliance (40%), visibility (40%) and overprivileged users (40%).
Eric Kedrosky, CISO for Sonrai Security, a provider of tools for identifying cloud security issues, said it’s apparent cloud security issues are becoming more challenging to attain and maintain as the number of workloads deployed continues to increase. The survey found two-thirds of respondents (66%) have deployed customer-facing applications in the cloud. A nearly equal percentage have also deployed internet of things (IoT) applications (62%), databases and systems of record (62%), middleware (60%) and containers/serverless platforms (60%). As the attack surface that needs to be defended continues to expand, cloud security only becomes more difficult, noted Kedrosky.
It’s not likely that the rate at which applications are being deployed in the cloud will slow down, so it falls to security teams to find ways to secure those environments without disrupting applications, he added. More than three-quarters of respondents (76%) also noted that right-scaling is a critical part of any successful cloud strategy.
The root cause of most cloud security issues are developers that have little to no cloud security expertise. Odds are good a developer will make a security mistake when they provision cloud infrastructure. Cloud service providers are only responsible for securing their infrastructure. It’s up to each organization to both securely configure that infrastructure and remediate any vulnerabilities that might be lurking within an application workload. In theory, more responsibility for securing cloud applications is shifting left toward application development teams, but it may take years for developers to master the DevSecOps best practices required to achieve that goal. In the meantime, it’s up to security teams to make sure that the overall cloud environment is secure.
