Cloud

4/4/2017
04:15 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

As Cloud Use Expands, So Do Security Blind Spots, Studies Show

Three-quarters of IaaS and SaaS apps aren't monitored.

Cloud usage continues to spread throughout some of the most critical parts of IT infrastructure, but even as the workloads grow in importance, the security practices are not necessarily improving at the same pace.

All evidence shows that there still remains a shocking lack of visibility into what enterprise data goes into the cloud, how it's used, and what controls are in place to keep it safe. Several new reports released in the last week shed more light on the issue, including one out from Bitglass today, which shows fewer than one in four organizations regularly monitor cloud infrastructure for security risks.

"Enterprise cloud apps lack critical controls for data security that could significantly reduce the risk of a breach," said Nat Kausik, CEO of Bitglass. "While some organizations can identify potential leaks after the fact, few organizations can remediate threats in real-time.”

According to a survey conducted on behalf of Bitglass by CyberEdge Group among 3,000 IT professionals, just 24% of them reported that their organizations routinely monitor SaaS and IaaS apps for security risks. That's less than half the rate of those organizations that routinely monitor the network perimeter.

It's no wonder that so many organizations list a lack of visibility as one of their number one concerns about cloud security, according to different survey results released by AlienVault last week. Among over 900 participants, 42% named visibility woes as their top security worry.

It's particularly troubling given the types of data making it into the cloud these days. The industry is well beyond simply depending on SaaS for ticky-tack productivity software or simple document sharing. And as DevOps and Agile efforts gain steam, organizations increasingly depend on IaaS and PaaS to run the critical workloads that are at the heart of their application development and digital transformation efforts. According to a survey conducted by RightScale earlier this year, companies now run 79% of their workloads in the cloud, with 41% running in the public cloud.  

Meanwhile, a different study by Crowd Research Partners released last week found that 39% of organizations store customer data in the cloud, 35% store employee data, 22% store financial corporate data, and the same percentage store intellectual property. The top benefits cited by participants in the Crowd Research study were flexible scalability, improved availability, and cost reduction. The trouble is that too many organizations hear the siren call of cloud's upside without even considering the risks.

"It’s not all sunshine and roses," writes Javvad Malik in the AlienVault study from last week. "When improperly used and managed, the cloud has the potential to pose a serious security risk to enterprises, and these risks are barely understood by most organizations, and are often not considered at all."

In many instances, organizations don't attempt to fix the visibility problem because there's an out-of-sight, out-of-mind attitude that permeates a lot of organizational cultures.

"There's very much an attitude of 'I don't need to be as vigorous monitoring stuff as in my own data center because it's in somebody else's SAS 70,' and if something goes sideways I'll just hold my provider's feet to the fire," says George Wrenn, CEO and founder of CyberSaint Security and a research affiliate for MIT in its (IC3) Critical Infrastructure Protection Program. "There's some plausible deniability and there's a bit of a myth that (the provider) is taking care of everything. But that's not the reality. You're still on the hook for monitoring, measuring, and managing your risk posture in those environments."

[Need advice on how to hold your cloud computing service providers accountable without relying on them to rescue your whole security program? Then don't miss "Herding Vendors and Implementing Third-Party Risk Programs," and other sessions at the Interop ITX conference in Las Vegas, May 15-19.]

One of the difficulties that organizations face in establishing better visibility and control over systems residing in the cloud is that they can't simply port over old security technologies to cloud infrastructure. The Crowd Research survey shows that 78% of respondents report that their traditional security solutions don't work or have limited functionality in the cloud. However, that's not to say they don't have any options for improving the situation. That may have been true five years ago, but at this point there's a growing ecosystem of third-party monitoring options available for bridging the visibility gap between on-premises data centers and cloud infrastructure. Not only that, but cloud providers themselves are offering more built-in tools than ever - organizations just need to learn to use them.

"The great news is that cloud providers like AWS, are doing great things in the security space to help their users understand better what is going on. If you are running on AWS, you can get tools such as CloudTrail to audit all the API calls on your account, you can use AWS Config in order to audit your systems and ensure they meet your compliance rules," Pete Cheslock, head of operations and support teams at Threat Stack, told software development site InfoQ recently. "In many cases, the tools are there to be more secure running in the cloud, users just need to learn what they all are."

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marc Wilczek
50%
50%
Marc Wilczek,
User Rank: Author
4/25/2017 | 4:28:41 AM
Risks are still underestimated
Gartner recently predicted that by 2020, a third of successful cyber-attacks experienced by enterprises will be on their shadow IT resources. Safeguarding the estate and putting monitoring in place is not a "nice to have" type of thing. The risks associated with a security incident (reputation, financial damages etc.) still seem to be widley underestimated.
Catherine Hudson
50%
50%
Catherine Hudson,
User Rank: Apprentice
4/8/2017 | 2:31:37 AM
Ways to solve the problem
Great piece! You've raised a topical issue, thank you. The majority seems to concentrate on the benefits of the cloud and ignore its threats which are plenty, as you noted. I think, SAM tools, such as Binadox, are able to facilitate the problem solving, as they monitor SaaS (cloud services) usage, log all subscription and usage events, intercept Terms of Service (ToS) and analyze those ToS to help businesses reveal potential liabilities and act proactively.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.