Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/1/2019
09:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security Pros Agree: Cloud Adoption Outpaces Security

Oftentimes, responsibility for securing the cloud falls to IT instead of the security organization, researchers report.

Businesses are embracing the cloud at a rate that outpaces their ability to secure it. That's according to 60% of security experts surveyed for Firemon's first "State of Hybrid Cloud Security Survey," released this week.  

Researchers polled more than 400 information security professionals, from operations to C-level, about their approach to network security across hybrid cloud environments. They learned not only are security pros worried – oftentimes they don't have jurisdiction over the cloud.

Most respondents say their businesses are already deployed in the cloud: Half have two or more different clouds deployed, while 40% are running in hybrid cloud environments. Nearly 25% have two or more different clouds in the proof-of-concept stage or are planning deployment within the next year.

Only 56% of respondents report network security, security operations, or security teams manage cloud security, while the remaining 44% report IT/cloud teams, application owners, or other teams outside the security division are in charge of security for the cloud. Tim Woods, vice president of technology alliances at Firemon, calls it "fragmented security" or "fragmented responsibility." Business owners and DevOps teams often take over responsibility for the cloud.

"It's not hard when you're starting out," says Woods of cloud security. "But as you deploy more apps in the cloud and cloud adoption grows, if you don't have a process that surrounds that – especially around a common security policy – down the road we'll hit bigger problems."

Survey data indicates businesses are inadvertently driving complexity by adopting multiple, disparate point products on-prem and across public and private clouds. The complexity is compounded by a lack of integrated tools and training needed to maintain security across environments. A rush to deploy cloud-based services has surpassed the ability to protect them.

For example, researchers found 59% of respondents use two or more different firewalls. Of those using more than one firewall, 67% also use two or more public cloud platforms. Woods says it's fairly easy to lose track of the myriad cloud services and applications in the enterprise.

"Depending on the organization's size, you have a lot of people doing a lot of things across a lot of different market sectors and business areas," he explains. "It's no surprise they don't have a good handle on their assets deployed in the cloud." After all, he points out, adopting a cloud application or service "is as easy as swiping a credit card," and many cloud-based tools are free.

The Move to DevSecOps
Some businesses recognized the problem of cloud security early on and have taken steps to address it by integrating existing teams and hiring cloud professionals, Woods explains. Many are starting with the development process, bringing together security and DevOps teams.

Nearly 44% of respondents and 46% of C-level respondents report the acceleration of DevOps has positively affected security operations. More than 30% say they're part of the DevOps team, and more than 19% say they have a close, positive relationship with the DevOps team.

Still, work remains. Thirty percent of security pros surveyed say their relationships with DevOps are complicated, contentious, not worth mentioning, or nonexistent.

Woods says regulatory changes, such as the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, are influencing the ways people bring security into the development process. Both of these acts mandate security to be built-in by design. If an organization suffers an outage and data loss and cannot show security was integrated by default, it will suffer higher penalties, he explains.

This realization has made its way to the C-suite, where people are realizing the need for better oversight around cloud security deployment. In many organizations, executives are recognizing regulatory changes and the reality of "pay now or pay later," Woods says.

What's Holding Back Non-Adopters?
Organizations hesitant to adopt the cloud are primarily holding back due to poor visibility, the survey shows. Forty-five percent cite lack of visibility, lack of training, and lack of control as the top three challenges to securing their public cloud environments. Oftentimes, the tools businesses have don't provide proper visibility in a hybrid enterprise with multiple clouds and on-prem tools.

"Having good visibility into all that is critical if you're going to manage it," Woods says. "You can't manage what you can't see, and you can't secure what you don't know about."

Many organizations are eager to move to the cloud but don't want to put their information at risk. Data is the currency of many modern enterprises, he continues, and they worry about its safety. At the same time, they don't want to risk being noncompetitive by staying stagnant.

Despite the challenges, Woods anticipates adoption will continue to accelerate. "One thing I don't think is going to happen is I don't think cloud deployment is going to slow down," he says.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/1/2019 | 9:41:38 AM
Not slowing down
I have mentioned before that Steve Wozniak said, ages ago, that there is no security in the cloud.  He should know, rarely wrong.  That said, to my mind, at heart the cloud is simply an enormously long RJ-45 or fibre cable from your network to a physical server SOMEWHERE else in the world under god knows whose control.  Who knows whose hands are on that keyboard far away and what protection controls really are in place.  We don't know that and never can in effect.  So there is no real security, only limited functionality and controls that we can put in place on our side of the line. 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.