Light Dark
April 9, 2019 By Kacy Zurkus 3 min read
Cloud Security

As more companies migrate to the cloud and expand their cloud environments, security has become an enormous challenge. Many of the issues stem from the reality that the speed of cloud migration far surpasses security’s ability to keep pace.

What’s the holdup when it comes to security? While there’s no single answer to that complicated question, there are many obstacles that are seemingly blocking the path to cloud security.

In its inaugural “State of Hybrid Cloud Security” report, FireMon asserted that not only are cloud business and security misaligned, but existing security tools can’t handle the scale of cloud adoption or the complexity of cloud environments. A lack of security budget and resources compounds these concerns.

What Are the Risks of Fast-Paced Cloud Adoption?

Of the 400 information security professionals who participated in the survey, 60 percent either agreed or strongly agreed that cloud-based business initiatives move faster than the security organization’s ability to secure them. Another telling finding from a press release associated with the report is that 44 percent of respondents said that people outside of the security organization are responsible for securing the cloud. That means IT and cloud teams, application owners and other teams are tasked with securing cloud environments.

Perhaps it’s coincidental, but 44.5 percent of respondents also said that their top three challenges in securing public cloud environments are lack of visibility, lack of training and lack of control.

“Because the cloud is a shared security model, traditional approaches to security aren’t working reliably,” said Carolyn Crandall, chief deception officer at Attivo Networks. “Limited visibility leads to major gaps in detection where an attacker can hijack cloud resources or steal critical information.”

While the emergence of the cloud has enabled anytime, anywhere access to IT resources at an economical cost for businesses, cloud computing also widens the network attack surface, creating new entry points for adversaries to exploit.

The Misery of Misconfiguration

As cloud-based businesses continue to quickly spin up new environments, misconfiguration issues have resulted in security nightmares, particularly over the last several months. According to Infosecurity Magazine, a misconfiguration at a California-based communications provider left 26 million SMS messages exposed in November 2018, and in December 2018, IT misconfigurations exposed the data of more than 120 million Brazilians.

From Amazon Web Services (AWS) bucket misconfigurations to Elasticsearch or MongoDB blunders, companies across all sectors have had their names in headlines not because of a data breach, but because human error left plaintext sensitive data exposed, often without a password.

Getting Cloud Security up to Speed

As is most often the case, the ability to enhance cloud security comes down to the availability of resources — 57.5 percent of respondents to the FireMon survey said that less than 25 percent of the security budget is dedicated to cloud security.

It’s also time to move beyond the misconception that cloud providers are delivering security in the cloud.

“Organizations new to the cloud will typically think that the cloud provider handles security for them, so they are already covered. This is not true; the AWS Shared Security Model says that while AWS handles security of the cloud, the customer is still responsible for handling security in the cloud. Azure’s policy is similar,” said Nitzan Miron, vice president of product management, application security services at Barracuda.

In short, securing all the applications and databases running in cloud environments is the responsibility of the business. That’s why organizations need to start thinking differently about their security frameworks and how to design controls that will secure a complex, borderless environment. Within that evolving security framework, organizations not only need strategies for scalable threat detection across cloud environments, but the endpoints accessing those cloud environments also need to be able to detect threats.

“Reducing risk will require adding capabilities to monitor user activity in the cloud, unauthorized access, as well as any malware infiltration. They will also need to add continuous assessment controls to address policy violations, misconfigurations, or misconduct by their suppliers and contractors,” Crandall said.

DevSecOps to the Rescue?

Another reason cloud security is lagging is rooted in the highly problematic division of teams. According to Miron, it’s often the case that security teams are separate from Ops/DevOps teams, which causes security to move much slower.

When the DevOps team decides to move to the cloud, it may be months before the security team gets involved to audit what they are doing.

“The long-term solution to this is DevSecOps,” said Miron.

Let it not be lost on anyone that “Sec” is supplanted right between “Dev” and “Ops.” When it comes to development, security is not something that can be tacked on at the end. It has to be central to the DevOps process.

From database exposure to application vulnerabilities, security in the cloud is complicated; and the complexities are compounded when teams don’t have adequate resources. Businesses that want to advance cloud security at scale need to invest in both the people and the technology that will reduce risks.

 |  |  |  |  |  |  |  |  | 
Kacy Zurkus

More from Cloud Security
November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

October 10, 2024

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

June 6, 2024

AI-driven compliance: The key to cloud security

3 min read - The growth of cloud computing continues unabated, but it has also created security challenges. The acceleration of cloud adoption has created greater complexity, with limited cloud technical expertise available in the market, an explosion in connected and Internet of Things (IoT) devices and a growing need for multi-cloud environments. When organizations migrate to the cloud, there is a likelihood of data security problems given that many applications are not secure by design. When these applications migrate to cloud-native systems, mistakes in configuration…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature