Cloud

10/19/2015
10:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Enterprises Are Leaving Cloud Security Policies To Chance

Only a third have a strategy for securing a mix of different data center and cloud deployment scenarios.

As the lines blur between data center and cloud provider facility, very few organizations are keeping up with policies and technology geared to handle the shift to dynamic data centers, reports a new study out by the SANS Institute last week. The report shows that even at the most basic level, planning is scarce: fewer than a third of organizations have a strategy in place to tailor security requirements to the mix of environments they use.

“Security teams need to do a lot of thinking to keep up with the rapid diversification
 of enterprise computing into a variety of private, public, cloud and traditional environments,” says Dave Shackleford, SANS analyst and author of the report. “Teams that are ahead of the game have already developed strategies describing how traditional and cloud computing models fit together, typically outlining what data or other assets can go to which type of external provider and what conditions should be placed on providers of different types or security levels.”

Commissioned by Illumio, the survey polled over 400 organizations to get the full picture on the state of security in today’s environments. As things stand, over half of organizations surveyed utilize Infrastructure-as-a-Service (IaaS) and almost a third use Platform-as-a-Service. While most of these services operate under a shared responsibility model that requires users to protect environments contained within, the truth is that the amount of security technology used within the cloud remains low compared to similar assets on premise; in most major categories it is half or less.

For example, while 75 percent of organizations utilize identity and access management tools on premises, only 31 percent use it in the cloud. And while 63 percent of organizations use a SIEM to track security events across traditional data center assets, just 25 percent do the same with cloud assets.

“This seeming reduction in use of security tools is a huge issue for many organizations today, given the fact that many public cloud providers don’t currently offer or support many security tools considered standard by most security teams,” Shackleford says. “While some cloud providers do have security offerings available, they fall far short of the security stack used by most survey respondents.”

Of course, that may not completely be the fault of the organizations themselves. Two of the biggest challenges cited by respondents in setting up security in the cloud was visibility into cloud provider practices and cooperation from cloud providers in supporting the customers’ security technology.

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
10/20/2015 | 3:42:41 PM
A growing issue
I find it concerning that "fewer than a third of organizations have a strategy in place to tailor security requirements to the mix of environments they use," and I agree that "Security teams need to do a lot of thinking to keep up with the rapid diversification
 of enterprise computing into a variety of private, public, cloud and traditional environments." I think it is critical to be able to manage the security policy from a single, central command, to secure big data, databases, cloud applications, file servers, applications and more.

Cloud is a particular concern and the Ponemon study "The State of Data Security Intelligence," reported that "Data that is outsourced to cloud is the biggest worry." Another Ponemon study reported that "Less than four in 10 leverage security tools to protect enterprise applications and data in the cloud."

Gartner released the report "Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data" in June 2015 that highlighted key challenges as "cloud increases the risks of noncompliance through unapproved access and data breach." The report recommended CIOs and CISOs to address data residency and compliance issues by "applying encryption or tokenization," and to also "understand when data appears in clear text, where keys are made available and stored, and who has access to the keys." Example of solutions can be found in another Gartner report that concluded that "Cloud Data Protection Gateways" provides a "High Benefit Rating" and "offer a way to secure sensitive enterprise data and files stores of data and use cases.

Ulf Mattsson, CTO Protegrity
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6705
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.
CVE-2018-15717
PUBLISHED: 2018-12-12
Open Dental before version 18.4 stores user passwords as base64 encoded MD5 hashes.
CVE-2018-15718
PUBLISHED: 2018-12-12
Open Dental before version 18.4 transmits the entire user database over the network when a remote unathenticated user accesses the command prompt. This allows the attacker to gain access to usernames, password hashes, privilege levels, and more.
CVE-2018-15719
PUBLISHED: 2018-12-12
Open Dental before version 18.4 installs a mysql database and uses the default credentials of "root" with a blank password. This allows anyone on the network with access to the server to access all database information.
CVE-2018-6704
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.