Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cloud-Native Businesses Struggle With Security

More companies moved to cloud-native infrastructure in the past year, and security incidents and malware moved right along with them.

Companies increasingly moved their applications and infrastructure to the cloud in the past year, but not without major concerns about security.

Almost 60% of companies said they are more worried about security since moving to cloud-native technologies — four times greater than those that said they worry less, according to a survey published last week by security firm Snyk. The companies' concerns are likely due to experience, with more than 56% of firms that indicated they dealt with a security incident caused by misconfiguration or an unpatched vulnerability, Snyk states in its "State of Cloud Native Application Security" report.

Related Content:

Prioritizing Application & API Security After the COVID Cloud Rush

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

The two types of events don't mean the companies are less secure following the move to the cloud, but that they are detecting — and, in most cases, quickly mitigating — more security issues, says Guy Podjarny, founder and president of Snyk.

"There have been more of these incidents because environments are more messy, but companies correctly perceive that these are areas that need attention, so their concerns are aligning well with the actual threats," he says. "It's more about what I call security hygiene, about keeping the windows locked and doors shut."

The necessity of scaling up remotely accessible infrastructure during the pandemic has given impetus to companies' digital transformations, with many companies moving from the early planning stages to an accelerated rollout of cloud infrastructure during the past year

Rather than use on-premise applications and systems that are remotely accessible, companies have moved to cloud-native applications and infrastructure. Cloud-native technologies use cloud-based infrastructure — such as containers, microservices, and APIs — to improve businesses' scalability and agility and are considered key to digital transformation.

Companies that had high cloud adoption tended to encounter more incidents of specific types compared with companies that had not moved as many business and development processes to the cloud, according to the Snyk report. High cloud adoption firms tended to see more incidents of misconfiguration (50%), known unpatched vulnerabilities (45%), failed audits (21%), and secrets leaks (18%), compared with organizations with low cloud adoption, which tended to have higher incidences of malware (14%) or, in many cases, did not detect any security incidents (21%).

"Adoption of cloud native technologies will undoubtedly change the security posture of [an organization's] overall application," Snyk states in the report. "While the core security principles remain constant, as with all emerging ecosystems the best practices are still being defined, driving fresh concern as teams navigate through unfamiliar landscapes."

Along with businesses, attackers have focused on cloud technologies as well, with malware arriving from cloud applications — such as storage, cloud e-mail services, and software download services — increasing by nearly a third and accounting for 62% of all malware downloads in Q1 2021, according to a separate, recent report from cloud-application service provider Netskope. That's up from 48% of downloads in the same quarter the previous year. 

While most malware downloaded from the Web are executable files, malware downloaded from cloud apps is more varied, with executable files and archives accounting for about a quarter of the total each, and Office documents accounting for almost 16%, according to Netskope.

"The rise in the popularity of cloud apps as a channel for cybercriminals to deliver malware is a result of the overall rise in popularity of cloud apps—cybercriminals go wherever their victims are," the Netskope report states.

Snyk did not conclude that companies with more cloud-native technologies are less secure, but that they are more aware of security incidents because they have greater visibility. While only a third of all companies had an entirely automated development pipeline, 42% of cloud-native companies had moved to total automation. 

"The data in the report is showing ... that the teams with higher cloud adoption actually have better automation and they are far more likely to find and fix critical issues in a much, much faster period of time," Podjarny says. "Their concerns are around this new reality — empowering their workers and working with independent teams — and they worry that more of them will slip, but still their ability to respond is much faster."

One interesting finding is that developers are more likely to want to take on security responsibilities than security teams are ready to give up those responsibilities, Podjarny says. Three times as many developers as security pros — 36% — claimed responsibility for security, with only 13% assigning responsibility to the IT security team. However, only 10% of respondents in security roles assigned security to developers, compared with 31% assigning responsibility to the security team. 

Among both types of survey respondents, the majority — 31% of developers and 33% of security members — considered security to be the responsibility of the DevOps or DevSecOps team.

It is more about who is ready to address the problems, Podjarny says. 

"There is a cynical view that developers do not care about security, but the data shows that the developers are far more ready to accept security responsibility," he says. "Companies have scanning technology, but developers need to be the ones to run it, and security teams need to let go."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-27
HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on ...
PUBLISHED: 2022-06-27
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. Thi...
PUBLISHED: 2022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to co...
PUBLISHED: 2022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled b...
PUBLISHED: 2022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if th...