Cloud usage continues to spread throughout some of the most critical parts of IT infrastructure, but even as the workloads grow in importance, the security practices are not necessarily improving at the same pace.
All evidence shows that there still remains a shocking lack of visibility into what enterprise data goes into the cloud, how it's used, and what controls are in place to keep it safe. Several new reports released in the last week shed more light on the issue, including one out from Bitglass today, which shows fewer than one in four organizations regularly monitor cloud infrastructure for security risks.
"Enterprise cloud apps lack critical controls for data security that could significantly reduce the risk of a breach," said Nat Kausik, CEO of Bitglass. "While some organizations can identify potential leaks after the fact, few organizations can remediate threats in real-time.”
According to a survey conducted on behalf of Bitglass by CyberEdge Group among 3,000 IT professionals, just 24% of them reported that their organizations routinely monitor SaaS and IaaS apps for security risks. That's less than half the rate of those organizations that routinely monitor the network perimeter.
It's no wonder that so many organizations list a lack of visibility as one of their number one concerns about cloud security, according to different survey results released by AlienVault last week. Among over 900 participants, 42% named visibility woes as their top security worry.
It's particularly troubling given the types of data making it into the cloud these days. The industry is well beyond simply depending on SaaS for ticky-tack productivity software or simple document sharing. And as DevOps and Agile efforts gain steam, organizations increasingly depend on IaaS and PaaS to run the critical workloads that are at the heart of their application development and digital transformation efforts. According to a survey conducted by RightScale earlier this year, companies now run 79% of their workloads in the cloud, with 41% running in the public cloud.
Meanwhile, a different study by Crowd Research Partners released last week found that 39% of organizations store customer data in the cloud, 35% store employee data, 22% store financial corporate data, and the same percentage store intellectual property. The top benefits cited by participants in the Crowd Research study were flexible scalability, improved availability, and cost reduction. The trouble is that too many organizations hear the siren call of cloud's upside without even considering the risks.
"It’s not all sunshine and roses," writes Javvad Malik in the AlienVault study from last week. "When improperly used and managed, the cloud has the potential to pose a serious security risk to enterprises, and these risks are barely understood by most organizations, and are often not considered at all."
In many instances, organizations don't attempt to fix the visibility problem because there's an out-of-sight, out-of-mind attitude that permeates a lot of organizational cultures.
"There's very much an attitude of 'I don't need to be as vigorous monitoring stuff as in my own data center because it's in somebody else's SAS 70,' and if something goes sideways I'll just hold my provider's feet to the fire," says George Wrenn, CEO and founder of CyberSaint Security and a research affiliate for MIT in its (IC3) Critical Infrastructure Protection Program. "There's some plausible deniability and there's a bit of a myth that (the provider) is taking care of everything. But that's not the reality. You're still on the hook for monitoring, measuring, and managing your risk posture in those environments."
[Need advice on how to hold your cloud computing service providers accountable without relying on them to rescue your whole security program? Then don't miss "Herding Vendors and Implementing Third-Party Risk Programs," and other sessions at the Interop ITX conference in Las Vegas, May 15-19.]
One of the difficulties that organizations face in establishing better visibility and control over systems residing in the cloud is that they can't simply port over old security technologies to cloud infrastructure. The Crowd Research survey shows that 78% of respondents report that their traditional security solutions don't work or have limited functionality in the cloud. However, that's not to say they don't have any options for improving the situation. That may have been true five years ago, but at this point there's a growing ecosystem of third-party monitoring options available for bridging the visibility gap between on-premises data centers and cloud infrastructure. Not only that, but cloud providers themselves are offering more built-in tools than ever - organizations just need to learn to use them.
"The great news is that cloud providers like AWS, are doing great things in the security space to help their users understand better what is going on. If you are running on AWS, you can get tools such as CloudTrail to audit all the API calls on your account, you can use AWS Config in order to audit your systems and ensure they meet your compliance rules," Pete Cheslock, head of operations and support teams at Threat Stack, told software development site InfoQ recently. "In many cases, the tools are there to be more secure running in the cloud, users just need to learn what they all are."