Cloud

3/1/2019
09:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security Pros Agree: Cloud Adoption Outpaces Security

Oftentimes, responsibility for securing the cloud falls to IT instead of the security organization, researchers report.

Businesses are embracing the cloud at a rate that outpaces their ability to secure it. That's according to 60% of security experts surveyed for Firemon's first "State of Hybrid Cloud Security Survey," released this week.  

Researchers polled more than 400 information security professionals, from operations to C-level, about their approach to network security across hybrid cloud environments. They learned not only are security pros worried – oftentimes they don't have jurisdiction over the cloud.

Most respondents say their businesses are already deployed in the cloud: Half have two or more different clouds deployed, while 40% are running in hybrid cloud environments. Nearly 25% have two or more different clouds in the proof-of-concept stage or are planning deployment within the next year.

Only 56% of respondents report network security, security operations, or security teams manage cloud security, while the remaining 44% report IT/cloud teams, application owners, or other teams outside the security division are in charge of security for the cloud. Tim Woods, vice president of technology alliances at Firemon, calls it "fragmented security" or "fragmented responsibility." Business owners and DevOps teams often take over responsibility for the cloud.

"It's not hard when you're starting out," says Woods of cloud security. "But as you deploy more apps in the cloud and cloud adoption grows, if you don't have a process that surrounds that – especially around a common security policy – down the road we'll hit bigger problems."

Survey data indicates businesses are inadvertently driving complexity by adopting multiple, disparate point products on-prem and across public and private clouds. The complexity is compounded by a lack of integrated tools and training needed to maintain security across environments. A rush to deploy cloud-based services has surpassed the ability to protect them.

For example, researchers found 59% of respondents use two or more different firewalls. Of those using more than one firewall, 67% also use two or more public cloud platforms. Woods says it's fairly easy to lose track of the myriad cloud services and applications in the enterprise.

"Depending on the organization's size, you have a lot of people doing a lot of things across a lot of different market sectors and business areas," he explains. "It's no surprise they don't have a good handle on their assets deployed in the cloud." After all, he points out, adopting a cloud application or service "is as easy as swiping a credit card," and many cloud-based tools are free.

The Move to DevSecOps
Some businesses recognized the problem of cloud security early on and have taken steps to address it by integrating existing teams and hiring cloud professionals, Woods explains. Many are starting with the development process, bringing together security and DevOps teams.

Nearly 44% of respondents and 46% of C-level respondents report the acceleration of DevOps has positively affected security operations. More than 30% say they're part of the DevOps team, and more than 19% say they have a close, positive relationship with the DevOps team.

Still, work remains. Thirty percent of security pros surveyed say their relationships with DevOps are complicated, contentious, not worth mentioning, or nonexistent.

Woods says regulatory changes, such as the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, are influencing the ways people bring security into the development process. Both of these acts mandate security to be built-in by design. If an organization suffers an outage and data loss and cannot show security was integrated by default, it will suffer higher penalties, he explains.

This realization has made its way to the C-suite, where people are realizing the need for better oversight around cloud security deployment. In many organizations, executives are recognizing regulatory changes and the reality of "pay now or pay later," Woods says.

What's Holding Back Non-Adopters?
Organizations hesitant to adopt the cloud are primarily holding back due to poor visibility, the survey shows. Forty-five percent cite lack of visibility, lack of training, and lack of control as the top three challenges to securing their public cloud environments. Oftentimes, the tools businesses have don't provide proper visibility in a hybrid enterprise with multiple clouds and on-prem tools.

"Having good visibility into all that is critical if you're going to manage it," Woods says. "You can't manage what you can't see, and you can't secure what you don't know about."

Many organizations are eager to move to the cloud but don't want to put their information at risk. Data is the currency of many modern enterprises, he continues, and they worry about its safety. At the same time, they don't want to risk being noncompetitive by staying stagnant.

Despite the challenges, Woods anticipates adoption will continue to accelerate. "One thing I don't think is going to happen is I don't think cloud deployment is going to slow down," he says.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/1/2019 | 9:41:38 AM
Not slowing down
I have mentioned before that Steve Wozniak said, ages ago, that there is no security in the cloud.  He should know, rarely wrong.  That said, to my mind, at heart the cloud is simply an enormously long RJ-45 or fibre cable from your network to a physical server SOMEWHERE else in the world under god knows whose control.  Who knows whose hands are on that keyboard far away and what protection controls really are in place.  We don't know that and never can in effect.  So there is no real security, only limited functionality and controls that we can put in place on our side of the line. 
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.