Cloud

4/4/2017
04:15 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

As Cloud Use Expands, So Do Security Blind Spots, Studies Show

Three-quarters of IaaS and SaaS apps aren't monitored.

Cloud usage continues to spread throughout some of the most critical parts of IT infrastructure, but even as the workloads grow in importance, the security practices are not necessarily improving at the same pace.

All evidence shows that there still remains a shocking lack of visibility into what enterprise data goes into the cloud, how it's used, and what controls are in place to keep it safe. Several new reports released in the last week shed more light on the issue, including one out from Bitglass today, which shows fewer than one in four organizations regularly monitor cloud infrastructure for security risks.

"Enterprise cloud apps lack critical controls for data security that could significantly reduce the risk of a breach," said Nat Kausik, CEO of Bitglass. "While some organizations can identify potential leaks after the fact, few organizations can remediate threats in real-time.”

According to a survey conducted on behalf of Bitglass by CyberEdge Group among 3,000 IT professionals, just 24% of them reported that their organizations routinely monitor SaaS and IaaS apps for security risks. That's less than half the rate of those organizations that routinely monitor the network perimeter.

It's no wonder that so many organizations list a lack of visibility as one of their number one concerns about cloud security, according to different survey results released by AlienVault last week. Among over 900 participants, 42% named visibility woes as their top security worry.

It's particularly troubling given the types of data making it into the cloud these days. The industry is well beyond simply depending on SaaS for ticky-tack productivity software or simple document sharing. And as DevOps and Agile efforts gain steam, organizations increasingly depend on IaaS and PaaS to run the critical workloads that are at the heart of their application development and digital transformation efforts. According to a survey conducted by RightScale earlier this year, companies now run 79% of their workloads in the cloud, with 41% running in the public cloud.  

Meanwhile, a different study by Crowd Research Partners released last week found that 39% of organizations store customer data in the cloud, 35% store employee data, 22% store financial corporate data, and the same percentage store intellectual property. The top benefits cited by participants in the Crowd Research study were flexible scalability, improved availability, and cost reduction. The trouble is that too many organizations hear the siren call of cloud's upside without even considering the risks.

"It’s not all sunshine and roses," writes Javvad Malik in the AlienVault study from last week. "When improperly used and managed, the cloud has the potential to pose a serious security risk to enterprises, and these risks are barely understood by most organizations, and are often not considered at all."

In many instances, organizations don't attempt to fix the visibility problem because there's an out-of-sight, out-of-mind attitude that permeates a lot of organizational cultures.

"There's very much an attitude of 'I don't need to be as vigorous monitoring stuff as in my own data center because it's in somebody else's SAS 70,' and if something goes sideways I'll just hold my provider's feet to the fire," says George Wrenn, CEO and founder of CyberSaint Security and a research affiliate for MIT in its (IC3) Critical Infrastructure Protection Program. "There's some plausible deniability and there's a bit of a myth that (the provider) is taking care of everything. But that's not the reality. You're still on the hook for monitoring, measuring, and managing your risk posture in those environments."

[Need advice on how to hold your cloud computing service providers accountable without relying on them to rescue your whole security program? Then don't miss "Herding Vendors and Implementing Third-Party Risk Programs," and other sessions at the Interop ITX conference in Las Vegas, May 15-19.]

One of the difficulties that organizations face in establishing better visibility and control over systems residing in the cloud is that they can't simply port over old security technologies to cloud infrastructure. The Crowd Research survey shows that 78% of respondents report that their traditional security solutions don't work or have limited functionality in the cloud. However, that's not to say they don't have any options for improving the situation. That may have been true five years ago, but at this point there's a growing ecosystem of third-party monitoring options available for bridging the visibility gap between on-premises data centers and cloud infrastructure. Not only that, but cloud providers themselves are offering more built-in tools than ever - organizations just need to learn to use them.

"The great news is that cloud providers like AWS, are doing great things in the security space to help their users understand better what is going on. If you are running on AWS, you can get tools such as CloudTrail to audit all the API calls on your account, you can use AWS Config in order to audit your systems and ensure they meet your compliance rules," Pete Cheslock, head of operations and support teams at Threat Stack, told software development site InfoQ recently. "In many cases, the tools are there to be more secure running in the cloud, users just need to learn what they all are."

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marc Wilczek
50%
50%
Marc Wilczek,
User Rank: Author
4/25/2017 | 4:28:41 AM
Risks are still underestimated
Gartner recently predicted that by 2020, a third of successful cyber-attacks experienced by enterprises will be on their shadow IT resources. Safeguarding the estate and putting monitoring in place is not a "nice to have" type of thing. The risks associated with a security incident (reputation, financial damages etc.) still seem to be widley underestimated.
Catherine Hudson
50%
50%
Catherine Hudson,
User Rank: Apprentice
4/8/2017 | 2:31:37 AM
Ways to solve the problem
Great piece! You've raised a topical issue, thank you. The majority seems to concentrate on the benefits of the cloud and ignore its threats which are plenty, as you noted. I think, SAM tools, such as Binadox, are able to facilitate the problem solving, as they monitor SaaS (cloud services) usage, log all subscription and usage events, intercept Terms of Service (ToS) and analyze those ToS to help businesses reveal potential liabilities and act proactively.
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Box Mistakes Leave Enterprise Data Exposed
Dark Reading Staff 3/12/2019
How the Best DevSecOps Teams Make Risk Visible to Developers
Ericka Chickowski, Contributing Writer, Dark Reading,  3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.