Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/1/2019
09:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security Pros Agree: Cloud Adoption Outpaces Security

Oftentimes, responsibility for securing the cloud falls to IT instead of the security organization, researchers report.

Businesses are embracing the cloud at a rate that outpaces their ability to secure it. That's according to 60% of security experts surveyed for Firemon's first "State of Hybrid Cloud Security Survey," released this week.  

Researchers polled more than 400 information security professionals, from operations to C-level, about their approach to network security across hybrid cloud environments. They learned not only are security pros worried – oftentimes they don't have jurisdiction over the cloud.

Most respondents say their businesses are already deployed in the cloud: Half have two or more different clouds deployed, while 40% are running in hybrid cloud environments. Nearly 25% have two or more different clouds in the proof-of-concept stage or are planning deployment within the next year.

Only 56% of respondents report network security, security operations, or security teams manage cloud security, while the remaining 44% report IT/cloud teams, application owners, or other teams outside the security division are in charge of security for the cloud. Tim Woods, vice president of technology alliances at Firemon, calls it "fragmented security" or "fragmented responsibility." Business owners and DevOps teams often take over responsibility for the cloud.

"It's not hard when you're starting out," says Woods of cloud security. "But as you deploy more apps in the cloud and cloud adoption grows, if you don't have a process that surrounds that – especially around a common security policy – down the road we'll hit bigger problems."

Survey data indicates businesses are inadvertently driving complexity by adopting multiple, disparate point products on-prem and across public and private clouds. The complexity is compounded by a lack of integrated tools and training needed to maintain security across environments. A rush to deploy cloud-based services has surpassed the ability to protect them.

For example, researchers found 59% of respondents use two or more different firewalls. Of those using more than one firewall, 67% also use two or more public cloud platforms. Woods says it's fairly easy to lose track of the myriad cloud services and applications in the enterprise.

"Depending on the organization's size, you have a lot of people doing a lot of things across a lot of different market sectors and business areas," he explains. "It's no surprise they don't have a good handle on their assets deployed in the cloud." After all, he points out, adopting a cloud application or service "is as easy as swiping a credit card," and many cloud-based tools are free.

The Move to DevSecOps
Some businesses recognized the problem of cloud security early on and have taken steps to address it by integrating existing teams and hiring cloud professionals, Woods explains. Many are starting with the development process, bringing together security and DevOps teams.

Nearly 44% of respondents and 46% of C-level respondents report the acceleration of DevOps has positively affected security operations. More than 30% say they're part of the DevOps team, and more than 19% say they have a close, positive relationship with the DevOps team.

Still, work remains. Thirty percent of security pros surveyed say their relationships with DevOps are complicated, contentious, not worth mentioning, or nonexistent.

Woods says regulatory changes, such as the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, are influencing the ways people bring security into the development process. Both of these acts mandate security to be built-in by design. If an organization suffers an outage and data loss and cannot show security was integrated by default, it will suffer higher penalties, he explains.

This realization has made its way to the C-suite, where people are realizing the need for better oversight around cloud security deployment. In many organizations, executives are recognizing regulatory changes and the reality of "pay now or pay later," Woods says.

What's Holding Back Non-Adopters?
Organizations hesitant to adopt the cloud are primarily holding back due to poor visibility, the survey shows. Forty-five percent cite lack of visibility, lack of training, and lack of control as the top three challenges to securing their public cloud environments. Oftentimes, the tools businesses have don't provide proper visibility in a hybrid enterprise with multiple clouds and on-prem tools.

"Having good visibility into all that is critical if you're going to manage it," Woods says. "You can't manage what you can't see, and you can't secure what you don't know about."

Many organizations are eager to move to the cloud but don't want to put their information at risk. Data is the currency of many modern enterprises, he continues, and they worry about its safety. At the same time, they don't want to risk being noncompetitive by staying stagnant.

Despite the challenges, Woods anticipates adoption will continue to accelerate. "One thing I don't think is going to happen is I don't think cloud deployment is going to slow down," he says.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/1/2019 | 9:41:38 AM
Not slowing down
I have mentioned before that Steve Wozniak said, ages ago, that there is no security in the cloud.  He should know, rarely wrong.  That said, to my mind, at heart the cloud is simply an enormously long RJ-45 or fibre cable from your network to a physical server SOMEWHERE else in the world under god knows whose control.  Who knows whose hands are on that keyboard far away and what protection controls really are in place.  We don't know that and never can in effect.  So there is no real security, only limited functionality and controls that we can put in place on our side of the line. 
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17789
PUBLISHED: 2019-09-20
Prospecta Master Data Online (MDO) allows CSRF.
CVE-2019-11280
PUBLISHED: 2019-09-20
Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain ...
CVE-2019-11326
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product is protected by a login. A guest is allowed to login. Once logged in as a guest, an attacker can browse a URL to read the password of the administrative user. The same pro...
CVE-2019-11327
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product has a local file inclusion vulnerability. An attacker with administrative privileges can craft a special URL to read arbitrary files from the device's files system.
CVE-2019-14814
PUBLISHED: 2019-09-20
There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.