Companies increasingly moved their applications and infrastructure to the cloud in the past year, but not without major concerns about security.
Almost 60% of companies said they are more worried about security since moving to cloud-native technologies — four times greater than those that said they worry less, according to a survey published last week by security firm Snyk. The companies' concerns are likely due to experience, with more than 56% of firms that indicated they dealt with a security incident caused by misconfiguration or an unpatched vulnerability, Snyk states in its "State of Cloud Native Application Security" report.
The two types of events don't mean the companies are less secure following the move to the cloud, but that they are detecting — and, in most cases, quickly mitigating — more security issues, says Guy Podjarny, founder and president of Snyk.
"There have been more of these incidents because environments are more messy, but companies correctly perceive that these are areas that need attention, so their concerns are aligning well with the actual threats," he says. "It's more about what I call security hygiene, about keeping the windows locked and doors shut."
The necessity of scaling up remotely accessible infrastructure during the pandemic has given impetus to companies' digital transformations, with many companies moving from the early planning stages to an accelerated rollout of cloud infrastructure during the past year.
Rather than use on-premise applications and systems that are remotely accessible, companies have moved to cloud-native applications and infrastructure. Cloud-native technologies use cloud-based infrastructure — such as containers, microservices, and APIs — to improve businesses' scalability and agility and are considered key to digital transformation.
Companies that had high cloud adoption tended to encounter more incidents of specific types compared with companies that had not moved as many business and development processes to the cloud, according to the Snyk report. High cloud adoption firms tended to see more incidents of misconfiguration (50%), known unpatched vulnerabilities (45%), failed audits (21%), and secrets leaks (18%), compared with organizations with low cloud adoption, which tended to have higher incidences of malware (14%) or, in many cases, did not detect any security incidents (21%).
"Adoption of cloud native technologies will undoubtedly change the security posture of [an organization's] overall application," Snyk states in the report. "While the core security principles remain constant, as with all emerging ecosystems the best practices are still being defined, driving fresh concern as teams navigate through unfamiliar landscapes."
Along with businesses, attackers have focused on cloud technologies as well, with malware arriving from cloud applications — such as storage, cloud e-mail services, and software download services — increasing by nearly a third and accounting for 62% of all malware downloads in Q1 2021, according to a separate, recent report from cloud-application service provider Netskope. That's up from 48% of downloads in the same quarter the previous year.
While most malware downloaded from the Web are executable files, malware downloaded from cloud apps is more varied, with executable files and archives accounting for about a quarter of the total each, and Office documents accounting for almost 16%, according to Netskope.
"The rise in the popularity of cloud apps as a channel for cybercriminals to deliver malware is a result of the overall rise in popularity of cloud apps—cybercriminals go wherever their victims are," the Netskope report states.
Snyk did not conclude that companies with more cloud-native technologies are less secure, but that they are more aware of security incidents because they have greater visibility. While only a third of all companies had an entirely automated development pipeline, 42% of cloud-native companies had moved to total automation.
"The data in the report is showing ... that the teams with higher cloud adoption actually have better automation and they are far more likely to find and fix critical issues in a much, much faster period of time," Podjarny says. "Their concerns are around this new reality — empowering their workers and working with independent teams — and they worry that more of them will slip, but still their ability to respond is much faster."
One interesting finding is that developers are more likely to want to take on security responsibilities than security teams are ready to give up those responsibilities, Podjarny says. Three times as many developers as security pros — 36% — claimed responsibility for security, with only 13% assigning responsibility to the IT security team. However, only 10% of respondents in security roles assigned security to developers, compared with 31% assigning responsibility to the security team.
Among both types of survey respondents, the majority — 31% of developers and 33% of security members — considered security to be the responsibility of the DevOps or DevSecOps team.
It is more about who is ready to address the problems, Podjarny says.
"There is a cynical view that developers do not care about security, but the data shows that the developers are far more ready to accept security responsibility," he says. "Companies have scanning technology, but developers need to be the ones to run it, and security teams need to let go."