A survey published today found well over half (59%) of respondents believed that moving to the cloud has made their enterprise less secure. The survey, conducted by CloudBolt Software, a provider of an IT automation platform, surveyed 350 IT leaders from large enterprises with more than 5,000 employees, revealed that well over three-quarters (79%) of respondents also questioned whether their companies are applying consistent levels of cloud security policy enforcement.
More than two-thirds (68%) said their organizations’ security skillsets across all clouds were only somewhat mature. Another 20% described their skillsets as being relatively neutral.
Nearly three-quarters of respondents (72%) admitted their organizations moved either to the cloud or multi-cloud environments without properly understanding the skills, maturity curve and security complexities involved. Over half (56%) also noted a lack of multi-cloud and cloud security expertise and resources, while 48% cited operational complexity and multi-cloud support as key concerns.
Overall, three-quarters of respondents (75%) described cloud computing as the single greatest expansion of the enterprise attack surface in the last 20 years.
CloudBolt Software CEO Jeff Kukowski said the way cloud computing environments are provisioned is at the root of most of those security concerns. Developers with little to no cybersecurity expertise typically provision cloud resources and then deploy applications with little to no cybersecurity protections. The fact that mistakes are made is all but inevitable, he noted.
In contrast, most on-premises application deployments are handled by a centralized team that typically reviews settings for misconfigurations, said Kukowski. The only way to provide that same level of cybersecurity assurance in the cloud is to rely on automation platforms that limit the number of mistakes, he added.
On the plus side, the survey also clarifies that organizations are more focused on cloud security issues. Well over three-quarters of respondents (79%) said they believed that their organization’s board of directors and executive teams have demonstrated that they are willing to do whatever is necessary to ensure that cloud computing is secure. A full 83% also expressed confidence in their CISO to achieve that goal.
Still, the survey suggests organizations still have a long way to go before cloud computing platforms become secure. Only 8% of respondents said they had implemented highly operationalized cloud security practices when spinning up new compute resources and environments. Only 6% said their companies automatically build security into every workload up front and orchestrate processes across every cloud so that developers don’t have to worry about it.
Even less (3%) said their organization consistently leveraged immutable infrastructure as a security measure through which cloud resources are automatically destroyed and rebuilt every set number of days.
Arguably, cloud security issues today have more to do with a cultural divide between cybersecurity teams and application developers within organizations. That divide has widened ever since the first cloud resource was programmatically spun up more than 10 years ago. The challenge now is finding a way to bridge that divide without materially impacting the rate at which new applications are deployed and updated in the cloud era.