Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/4/2017
04:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

As Cloud Use Expands, So Do Security Blind Spots, Studies Show

Three-quarters of IaaS and SaaS apps aren't monitored.

Cloud usage continues to spread throughout some of the most critical parts of IT infrastructure, but even as the workloads grow in importance, the security practices are not necessarily improving at the same pace.

All evidence shows that there still remains a shocking lack of visibility into what enterprise data goes into the cloud, how it's used, and what controls are in place to keep it safe. Several new reports released in the last week shed more light on the issue, including one out from Bitglass today, which shows fewer than one in four organizations regularly monitor cloud infrastructure for security risks.

"Enterprise cloud apps lack critical controls for data security that could significantly reduce the risk of a breach," said Nat Kausik, CEO of Bitglass. "While some organizations can identify potential leaks after the fact, few organizations can remediate threats in real-time.”

According to a survey conducted on behalf of Bitglass by CyberEdge Group among 3,000 IT professionals, just 24% of them reported that their organizations routinely monitor SaaS and IaaS apps for security risks. That's less than half the rate of those organizations that routinely monitor the network perimeter.

It's no wonder that so many organizations list a lack of visibility as one of their number one concerns about cloud security, according to different survey results released by AlienVault last week. Among over 900 participants, 42% named visibility woes as their top security worry.

It's particularly troubling given the types of data making it into the cloud these days. The industry is well beyond simply depending on SaaS for ticky-tack productivity software or simple document sharing. And as DevOps and Agile efforts gain steam, organizations increasingly depend on IaaS and PaaS to run the critical workloads that are at the heart of their application development and digital transformation efforts. According to a survey conducted by RightScale earlier this year, companies now run 79% of their workloads in the cloud, with 41% running in the public cloud.  

Meanwhile, a different study by Crowd Research Partners released last week found that 39% of organizations store customer data in the cloud, 35% store employee data, 22% store financial corporate data, and the same percentage store intellectual property. The top benefits cited by participants in the Crowd Research study were flexible scalability, improved availability, and cost reduction. The trouble is that too many organizations hear the siren call of cloud's upside without even considering the risks.

"It’s not all sunshine and roses," writes Javvad Malik in the AlienVault study from last week. "When improperly used and managed, the cloud has the potential to pose a serious security risk to enterprises, and these risks are barely understood by most organizations, and are often not considered at all."

In many instances, organizations don't attempt to fix the visibility problem because there's an out-of-sight, out-of-mind attitude that permeates a lot of organizational cultures.

"There's very much an attitude of 'I don't need to be as vigorous monitoring stuff as in my own data center because it's in somebody else's SAS 70,' and if something goes sideways I'll just hold my provider's feet to the fire," says George Wrenn, CEO and founder of CyberSaint Security and a research affiliate for MIT in its (IC3) Critical Infrastructure Protection Program. "There's some plausible deniability and there's a bit of a myth that (the provider) is taking care of everything. But that's not the reality. You're still on the hook for monitoring, measuring, and managing your risk posture in those environments."

[Need advice on how to hold your cloud computing service providers accountable without relying on them to rescue your whole security program? Then don't miss "Herding Vendors and Implementing Third-Party Risk Programs," and other sessions at the Interop ITX conference in Las Vegas, May 15-19.]

One of the difficulties that organizations face in establishing better visibility and control over systems residing in the cloud is that they can't simply port over old security technologies to cloud infrastructure. The Crowd Research survey shows that 78% of respondents report that their traditional security solutions don't work or have limited functionality in the cloud. However, that's not to say they don't have any options for improving the situation. That may have been true five years ago, but at this point there's a growing ecosystem of third-party monitoring options available for bridging the visibility gap between on-premises data centers and cloud infrastructure. Not only that, but cloud providers themselves are offering more built-in tools than ever - organizations just need to learn to use them.

"The great news is that cloud providers like AWS, are doing great things in the security space to help their users understand better what is going on. If you are running on AWS, you can get tools such as CloudTrail to audit all the API calls on your account, you can use AWS Config in order to audit your systems and ensure they meet your compliance rules," Pete Cheslock, head of operations and support teams at Threat Stack, told software development site InfoQ recently. "In many cases, the tools are there to be more secure running in the cloud, users just need to learn what they all are."

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Catherine Hudson
50%
50%
Catherine Hudson,
User Rank: Apprentice
4/8/2017 | 2:31:37 AM
Ways to solve the problem
Great piece! You've raised a topical issue, thank you. The majority seems to concentrate on the benefits of the cloud and ignore its threats which are plenty, as you noted. I think, SAM tools, such as Binadox, are able to facilitate the problem solving, as they monitor SaaS (cloud services) usage, log all subscription and usage events, intercept Terms of Service (ToS) and analyze those ToS to help businesses reveal potential liabilities and act proactively.
Marc Wilczek
50%
50%
Marc Wilczek,
User Rank: Author
4/25/2017 | 4:28:41 AM
Risks are still underestimated
Gartner recently predicted that by 2020, a third of successful cyber-attacks experienced by enterprises will be on their shadow IT resources. Safeguarding the estate and putting monitoring in place is not a "nice to have" type of thing. The risks associated with a security incident (reputation, financial damages etc.) still seem to be widley underestimated.
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.