Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/14/2020
05:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

As Businesses Rush to the Cloud, Security Teams Struggle to Keep Up

Most organizations have a gap between current and planned cloud usage and the maturity of their cloud security programs.

The continued shift to the cloud is driving challenges in preparedness, configuration management, and defending against new attack techniques. Businesses are rushing to move applications to the cloud, putting growing amounts of pressure on security teams to keep pace.

Trust in the public cloud continues to grow, researchers found in the "Oracle and KPMG Cloud Threat Report 2020." Forty percent of the 750 IT and security professionals surveyed view the public cloud as more secure than what they can deliver on-premises, marking a 13% year-over-year jump from the 2019 study. Most (88%) currently use public cloud infrastructure services.

When asked about consuming business-critical applications as a service, respondents cite, on average, a 9% increase over the next two years. The shift to software-as-a-service (SaaS) for these applications shows more people are growing comfortable with the security of cloud providers. Enterprise resource planning, customer relationship management, human capital management, and IT services management are among the applications undergoing the transition to cloud, researchers say.

"Many of our clients are at the point where they deployed their first set of important applications, like finance applications in the cloud, supply chain applications … a core set of three to five applications, and that's gone OK," says Steve Barlock, principal with KPMG. What's happening over the past six to 12 months is businesses that have seen early success want to start moving everything to the cloud. "We're seeing a problem of scale right now," he adds.

Survey data shows 92% of companies have a "cloud security readiness gap" between their current and planned cloud usage and the maturity of their cloud security programs. More than 40% report a wide gap, while 48% say the gap is moderate. The space is created when cloud services and applications are consumed by business units outside the scope of IT and security teams. As the security pros try to catch up, their efforts are perceived as slowing the business down. 

"The shared responsibility picture is just getting worse every year," says Greg Jensen, senior principal director of cloud security at Oracle. Security teams must know what's going into production. Once they do, it takes time to implement monitoring and remediation mechanisms.

This readiness gap manifests in new challenges for IT and security pros: More than three-quarters (78%) say the differences between cloud-resident and on-premises applications and infrastructure require a distinct set of security policies and processes. These differences have led to buying more security controls, driving complexity. Seventy percent report too many tools are needed to protect public cloud environments. On average, each uses more than 100 discrete security controls.

Visibility was a primary issue among respondents. Nearly 30% of respondents said identifying software flaws and remediation was the most important area for improving visibility. Other areas include finding workload configurations that are out of compliance (28%), an audit trail of system-level activity (27%), identifying misconfigured security groups (25%), and detecting external-facing server workloads that don't route Internet traffic via jump/bastion host (25%). 

"The pace of change of underlying technology is tremendous," says Barlock. "It's just hard for teams to keep up with the pace of that change. The other dimension is the scale of the team: Do I have enough people on my security team who are knowledgeable about cloud and can meet the business where they are?"

Barlock, who heads up the cloud and AI division at KPMG, says his team faced the same issues. In response, they reorganized their cybersecurity team to place a stronger focus on cloud and cloud/AI technology. They also grew closer to technology partners and encouraged employees to pursue certifications focused on cloud as well as hands-on skill building, he explains.

A lack of cloud security skills is proving problematic for organizations across the board, Jensen says, noting how many security incidents over the past year could be linked back to cloud configuration issues, including overprivileged credentials, lack of encryption, or unprotected buckets.

"The news is scaring people," he explains. "It's making them realize they are vulnerable because of a lack of understanding and ability to get a handle on security controls."

These challenges are driving businesses to hire more technically savvy cloud security pros. Researchers report more companies have a cloud security architect than a security architect, indicating a rethinking of security programs to close the "readiness gap." One increasingly common role is the business information security officer (BISO), now a position at 35% of enterprises and 21% of midmarket companies.

The BISO acts as a liaison between business executives and the CISO, Jensen explains, but it won't replace the security leader. Today's CISOs know organizations are going to pursue cloud-based applications without them. A BISO moves the security team close to the business team and understands the business development life cycle, priorities, and security gaps, he notes. BISOs are driven by business goals and achievement, and their role is to help CISOs and line-of-business owners to collaborate.

Related Content:

 

 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4177
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174732.
CVE-2020-4180
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 174735.
CVE-2020-4182
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174738.
CVE-2020-4187
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could disclose sensitive information on the login page that could aid in further attacks against the system. IBM X-Force ID: 174805.
CVE-2020-4190
PUBLISHED: 2020-06-03
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851.