Securing cloud-based and legacy systems is a balancing act, and businesses have a tough time staying upright. As the race to the cloud picks up speed, many are struggling to fully protect their hybrid environments from zero-day attacks.
Researchers at Enterprise Strategy Group (ESG) polled 450 IT and security pros in North America and Western Europe on hybrid cloud environments and containers. The results demonstrate concern around zero-day attacks and increased container adoption.
"The thesis for the study was the multidimensionality of hybrid clouds is shifting cybersecurity priorities," explains Doug Cahill, senior analyst covering cybersecurity for ESG and leader of this research, which was commissioned by Capsule8.
Hybrid infrastructures have become the major architecture in enterprise environments, a shift that has come with "major headaches and concerns," says Bogdan "Bob" Botezatu, senior e-threat analyst at Bitdefender.
"The move to hybrid happened because increasingly more organizations want to enjoy the benefit of public cloud - scalability, pay-as-you-go rates and flexibility - but also maintain control over the key infrastructure," he explains. The hybrid approach is a necessary step toward public cloud adoption, especially for companies hesitant about cloud security.
Complexity in the Cloud
"Hybrid clouds are comprised of disparate environments," Cahill says, adding that more than 80% of organizations using infrastructure-as-a-service (IaaS) consume services from multiple providers. "This tells us more workloads are moving to public cloud platforms," he adds.
More than half (56%) of respondents have already deployed containerized production applications; 80% report they will have containers in production within the next 12- to 24 months.
The adoption of new technology is a gradual, phased process and many companies are in the middle of migrating old applications to the cloud. Three-quarters (73%) or organizations use, or will use, containers for both new applications and preexisting legacy applications, Cahill says.
Despite their growing reliance on containers, many businesses will continue to at least partially rely on legacy systems for years to come, he continues. Security becomes a challenge when multiple users are accessing multiple environments from multiple different locations.
The biggest hybrid cloud security challenge is maintaining strong, consistent security across the enterprise data center and multiple cloud environments, says Cahill. Businesses want consistency; they want to be able to centralize policy and security controls across both.
Security teams also struggle to maintain the pace of cloud, an increasingly difficult challenge as cloud continues to accelerate. It used to be that cloud adoption was slowed by security, Cahill points out. Now, containers are driven by the app development team. Security has to keep up.
"One of the things we know about cloud computing in general, and about DevOps, is it's all about moving fast," he points out. "They need to keep pace with the rapid rate of change."
Compliance is a major concern for companies using hybrid cloud, adds Botezatu, who says Bitdefender polled CISOs about their biggest fears related to hybrid cloud in late 2016.
"Lack of visibility into what is happening in the big hybrid datacenter, the increased attack surface, security of backups and snapshots and security of data (either at rest or in transit) were the top five answers," he says.
More Complexity = Larger Attack Surface
The complexity of hybrid cloud environments puts organizations at risk for several types of attack. Forty-two percent of businesses reported an attack on their cloud environment in the past year; 28% said a zero-day exploit had been the attack origin.
"Part of [the reason] is the elastic nature of these environments," says Cahill of the critical zero-day threat. "Servers are so rapidly deployed and sometimes they're put into production without going through assessments and vulnerability scanning."
Common threats include taking advantage of known flaws in unpatched applications (27%), misuse of privileged accounts by inside employees (26%), exploits taking advantage of known flaws in unpatched operating systems (21%), misuse of privileged account via stolen credentials (19%), and misconfigured cloud services, workloads, or network security controls (20%).
"The security in many hybrid cloud environments is focused on the perimeter, while totally missing in-depth defenses," says Ofri Ziv, vice president of research and head of GuardiCore Labs. "This leads to environments with weak network segmentation, which is heaven for attackers and worms."
John Viega, cofounder and CEO of Capsule8, says zero-days will always be a real and unpredictable threat. "This is particularly true in production due to the impact of open source," he adds. A zero-day that appears in production from open-source software will affect a huge number of companies.
Move to Unify Security
Part of the reason security is difficult with hybrid cloud is because the majority (70%) of companies currently use separate controls for public cloud-based resources and on-premise virtual machines and servers. Only 30% use unified controls, Cahill explains.
"It's very siloed today," he says. "There are different tools for different environments managed by different people … but that's not sustainable over time. It doesn't afford the consistency of security policies across disparate environments."
This is poised to dramatically change within the next two years. By that time, 70% of respondents claim they will focus on unified controls for all server workload types across public cloud(s) and on-premise resources.
"One of the most important things a company can do is be disciplined about keeping applications on-premise or in a data center and not moving it until it is absolutely mature enough to be seamlessly be deployed in either environment," adds Viega. One way to control this is to focus on containerization in the software development process.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.