As more companies migrate to the cloud and expand their cloud environments, security has become an enormous challenge. Many of the issues stem from the reality that the speed of cloud migration far surpasses security’s ability to keep pace.
What’s the holdup when it comes to security? While there’s no single answer to that complicated question, there are many obstacles that are seemingly blocking the path to cloud security.
In its inaugural “State of Hybrid Cloud Security” report, FireMon asserted that not only are cloud business and security misaligned, but existing security tools can’t handle the scale of cloud adoption or the complexity of cloud environments. A lack of security budget and resources compounds these concerns.
What Are the Risks of Fast-Paced Cloud Adoption?
Of the 400 information security professionals who participated in the survey, 60 percent either agreed or strongly agreed that cloud-based business initiatives move faster than the security organization’s ability to secure them. Another telling finding from a press release associated with the report is that 44 percent of respondents said that people outside of the security organization are responsible for securing the cloud. That means IT and cloud teams, application owners and other teams are tasked with securing cloud environments.
Perhaps it’s coincidental, but 44.5 percent of respondents also said that their top three challenges in securing public cloud environments are lack of visibility, lack of training and lack of control.
“Because the cloud is a shared security model, traditional approaches to security aren’t working reliably,” said Carolyn Crandall, chief deception officer at Attivo Networks. “Limited visibility leads to major gaps in detection where an attacker can hijack cloud resources or steal critical information.”
While the emergence of the cloud has enabled anytime, anywhere access to IT resources at an economical cost for businesses, cloud computing also widens the network attack surface, creating new entry points for adversaries to exploit.
The Misery of Misconfiguration
As cloud-based businesses continue to quickly spin up new environments, misconfiguration issues have resulted in security nightmares, particularly over the last several months. According to Infosecurity Magazine, a misconfiguration at a California-based communications provider left 26 million SMS messages exposed in November 2018, and in December 2018, IT misconfigurations exposed the data of more than 120 million Brazilians.
From Amazon Web Services (AWS) bucket misconfigurations to Elasticsearch or MongoDB blunders, companies across all sectors have had their names in headlines not because of a data breach, but because human error left plaintext sensitive data exposed, often without a password.
Getting Cloud Security up to Speed
As is most often the case, the ability to enhance cloud security comes down to the availability of resources — 57.5 percent of respondents to the FireMon survey said that less than 25 percent of the security budget is dedicated to cloud security.
It’s also time to move beyond the misconception that cloud providers are delivering security in the cloud.
“Organizations new to the cloud will typically think that the cloud provider handles security for them, so they are already covered. This is not true; the AWS Shared Security Model says that while AWS handles security of the cloud, the customer is still responsible for handling security in the cloud. Azure’s policy is similar,” said Nitzan Miron, vice president of product management, application security services at Barracuda.
In short, securing all the applications and databases running in cloud environments is the responsibility of the business. That’s why organizations need to start thinking differently about their security frameworks and how to design controls that will secure a complex, borderless environment. Within that evolving security framework, organizations not only need strategies for scalable threat detection across cloud environments, but the endpoints accessing those cloud environments also need to be able to detect threats.
“Reducing risk will require adding capabilities to monitor user activity in the cloud, unauthorized access, as well as any malware infiltration. They will also need to add continuous assessment controls to address policy violations, misconfigurations, or misconduct by their suppliers and contractors,” Crandall said.
DevSecOps to the Rescue?
Another reason cloud security is lagging is rooted in the highly problematic division of teams. According to Miron, it’s often the case that security teams are separate from Ops/DevOps teams, which causes security to move much slower.
When the DevOps team decides to move to the cloud, it may be months before the security team gets involved to audit what they are doing.
“The long-term solution to this is DevSecOps,” said Miron.
Let it not be lost on anyone that “Sec” is supplanted right between “Dev” and “Ops.” When it comes to development, security is not something that can be tacked on at the end. It has to be central to the DevOps process.
From database exposure to application vulnerabilities, security in the cloud is complicated; and the complexities are compounded when teams don’t have adequate resources. Businesses that want to advance cloud security at scale need to invest in both the people and the technology that will reduce risks.