Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/19/2015
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Enterprises Are Leaving Cloud Security Policies To Chance

Only a third have a strategy for securing a mix of different data center and cloud deployment scenarios.

As the lines blur between data center and cloud provider facility, very few organizations are keeping up with policies and technology geared to handle the shift to dynamic data centers, reports a new study out by the SANS Institute last week. The report shows that even at the most basic level, planning is scarce: fewer than a third of organizations have a strategy in place to tailor security requirements to the mix of environments they use.

“Security teams need to do a lot of thinking to keep up with the rapid diversification
 of enterprise computing into a variety of private, public, cloud and traditional environments,” says Dave Shackleford, SANS analyst and author of the report. “Teams that are ahead of the game have already developed strategies describing how traditional and cloud computing models fit together, typically outlining what data or other assets can go to which type of external provider and what conditions should be placed on providers of different types or security levels.”

Commissioned by Illumio, the survey polled over 400 organizations to get the full picture on the state of security in today’s environments. As things stand, over half of organizations surveyed utilize Infrastructure-as-a-Service (IaaS) and almost a third use Platform-as-a-Service. While most of these services operate under a shared responsibility model that requires users to protect environments contained within, the truth is that the amount of security technology used within the cloud remains low compared to similar assets on premise; in most major categories it is half or less.

For example, while 75 percent of organizations utilize identity and access management tools on premises, only 31 percent use it in the cloud. And while 63 percent of organizations use a SIEM to track security events across traditional data center assets, just 25 percent do the same with cloud assets.

“This seeming reduction in use of security tools is a huge issue for many organizations today, given the fact that many public cloud providers don’t currently offer or support many security tools considered standard by most security teams,” Shackleford says. “While some cloud providers do have security offerings available, they fall far short of the security stack used by most survey respondents.”

Of course, that may not completely be the fault of the organizations themselves. Two of the biggest challenges cited by respondents in setting up security in the cloud was visibility into cloud provider practices and cooperation from cloud providers in supporting the customers’ security technology.

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
10/20/2015 | 3:42:41 PM
A growing issue
I find it concerning that "fewer than a third of organizations have a strategy in place to tailor security requirements to the mix of environments they use," and I agree that "Security teams need to do a lot of thinking to keep up with the rapid diversification
 of enterprise computing into a variety of private, public, cloud and traditional environments." I think it is critical to be able to manage the security policy from a single, central command, to secure big data, databases, cloud applications, file servers, applications and more.

Cloud is a particular concern and the Ponemon study "The State of Data Security Intelligence," reported that "Data that is outsourced to cloud is the biggest worry." Another Ponemon study reported that "Less than four in 10 leverage security tools to protect enterprise applications and data in the cloud."

Gartner released the report "Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data" in June 2015 that highlighted key challenges as "cloud increases the risks of noncompliance through unapproved access and data breach." The report recommended CIOs and CISOs to address data residency and compliance issues by "applying encryption or tokenization," and to also "understand when data appears in clear text, where keys are made available and stored, and who has access to the keys." Example of solutions can be found in another Gartner report that concluded that "Cloud Data Protection Gateways" provides a "High Benefit Rating" and "offer a way to secure sensitive enterprise data and files stores of data and use cases.

Ulf Mattsson, CTO Protegrity
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.