Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

Cloud-Native Businesses Struggle With Security

More companies moved to cloud-native infrastructure in the past year, and security incidents and malware moved right along with them.

Companies increasingly moved their applications and infrastructure to the cloud in the past year, but not without major concerns about security.

Almost 60% of companies said they are more worried about security since moving to cloud-native technologies — four times greater than those that said they worry less, according to a survey published last week by security firm Snyk. The companies' concerns are likely due to experience, with more than 56% of firms that indicated they dealt with a security incident caused by misconfiguration or an unpatched vulnerability, Snyk states in its "State of Cloud Native Application Security" report.

Related Content:

Prioritizing Application & API Security After the COVID Cloud Rush

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

The two types of events don't mean the companies are less secure following the move to the cloud, but that they are detecting — and, in most cases, quickly mitigating — more security issues, says Guy Podjarny, founder and president of Snyk.

"There have been more of these incidents because environments are more messy, but companies correctly perceive that these are areas that need attention, so their concerns are aligning well with the actual threats," he says. "It's more about what I call security hygiene, about keeping the windows locked and doors shut."

The necessity of scaling up remotely accessible infrastructure during the pandemic has given impetus to companies' digital transformations, with many companies moving from the early planning stages to an accelerated rollout of cloud infrastructure during the past year

Rather than use on-premise applications and systems that are remotely accessible, companies have moved to cloud-native applications and infrastructure. Cloud-native technologies use cloud-based infrastructure — such as containers, microservices, and APIs — to improve businesses' scalability and agility and are considered key to digital transformation.

Companies that had high cloud adoption tended to encounter more incidents of specific types compared with companies that had not moved as many business and development processes to the cloud, according to the Snyk report. High cloud adoption firms tended to see more incidents of misconfiguration (50%), known unpatched vulnerabilities (45%), failed audits (21%), and secrets leaks (18%), compared with organizations with low cloud adoption, which tended to have higher incidences of malware (14%) or, in many cases, did not detect any security incidents (21%).

"Adoption of cloud native technologies will undoubtedly change the security posture of [an organization's] overall application," Snyk states in the report. "While the core security principles remain constant, as with all emerging ecosystems the best practices are still being defined, driving fresh concern as teams navigate through unfamiliar landscapes."

Along with businesses, attackers have focused on cloud technologies as well, with malware arriving from cloud applications — such as storage, cloud e-mail services, and software download services — increasing by nearly a third and accounting for 62% of all malware downloads in Q1 2021, according to a separate, recent report from cloud-application service provider Netskope. That's up from 48% of downloads in the same quarter the previous year. 

While most malware downloaded from the Web are executable files, malware downloaded from cloud apps is more varied, with executable files and archives accounting for about a quarter of the total each, and Office documents accounting for almost 16%, according to Netskope.

"The rise in the popularity of cloud apps as a channel for cybercriminals to deliver malware is a result of the overall rise in popularity of cloud apps—cybercriminals go wherever their victims are," the Netskope report states.

Snyk did not conclude that companies with more cloud-native technologies are less secure, but that they are more aware of security incidents because they have greater visibility. While only a third of all companies had an entirely automated development pipeline, 42% of cloud-native companies had moved to total automation. 

"The data in the report is showing ... that the teams with higher cloud adoption actually have better automation and they are far more likely to find and fix critical issues in a much, much faster period of time," Podjarny says. "Their concerns are around this new reality — empowering their workers and working with independent teams — and they worry that more of them will slip, but still their ability to respond is much faster."

One interesting finding is that developers are more likely to want to take on security responsibilities than security teams are ready to give up those responsibilities, Podjarny says. Three times as many developers as security pros — 36% — claimed responsibility for security, with only 13% assigning responsibility to the IT security team. However, only 10% of respondents in security roles assigned security to developers, compared with 31% assigning responsibility to the security team. 

Among both types of survey respondents, the majority — 31% of developers and 33% of security members — considered security to be the responsibility of the DevOps or DevSecOps team.

It is more about who is ready to address the problems, Podjarny says. 

"There is a cynical view that developers do not care about security, but the data shows that the developers are far more ready to accept security responsibility," he says. "Companies have scanning technology, but developers need to be the ones to run it, and security teams need to let go."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file