Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/19/2015
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Enterprises Are Leaving Cloud Security Policies To Chance

Only a third have a strategy for securing a mix of different data center and cloud deployment scenarios.

As the lines blur between data center and cloud provider facility, very few organizations are keeping up with policies and technology geared to handle the shift to dynamic data centers, reports a new study out by the SANS Institute last week. The report shows that even at the most basic level, planning is scarce: fewer than a third of organizations have a strategy in place to tailor security requirements to the mix of environments they use.

“Security teams need to do a lot of thinking to keep up with the rapid diversification
 of enterprise computing into a variety of private, public, cloud and traditional environments,” says Dave Shackleford, SANS analyst and author of the report. “Teams that are ahead of the game have already developed strategies describing how traditional and cloud computing models fit together, typically outlining what data or other assets can go to which type of external provider and what conditions should be placed on providers of different types or security levels.”

Commissioned by Illumio, the survey polled over 400 organizations to get the full picture on the state of security in today’s environments. As things stand, over half of organizations surveyed utilize Infrastructure-as-a-Service (IaaS) and almost a third use Platform-as-a-Service. While most of these services operate under a shared responsibility model that requires users to protect environments contained within, the truth is that the amount of security technology used within the cloud remains low compared to similar assets on premise; in most major categories it is half or less.

For example, while 75 percent of organizations utilize identity and access management tools on premises, only 31 percent use it in the cloud. And while 63 percent of organizations use a SIEM to track security events across traditional data center assets, just 25 percent do the same with cloud assets.

“This seeming reduction in use of security tools is a huge issue for many organizations today, given the fact that many public cloud providers don’t currently offer or support many security tools considered standard by most security teams,” Shackleford says. “While some cloud providers do have security offerings available, they fall far short of the security stack used by most survey respondents.”

Of course, that may not completely be the fault of the organizations themselves. Two of the biggest challenges cited by respondents in setting up security in the cloud was visibility into cloud provider practices and cooperation from cloud providers in supporting the customers’ security technology.

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
10/20/2015 | 3:42:41 PM
A growing issue
I find it concerning that "fewer than a third of organizations have a strategy in place to tailor security requirements to the mix of environments they use," and I agree that "Security teams need to do a lot of thinking to keep up with the rapid diversification
 of enterprise computing into a variety of private, public, cloud and traditional environments." I think it is critical to be able to manage the security policy from a single, central command, to secure big data, databases, cloud applications, file servers, applications and more.

Cloud is a particular concern and the Ponemon study "The State of Data Security Intelligence," reported that "Data that is outsourced to cloud is the biggest worry." Another Ponemon study reported that "Less than four in 10 leverage security tools to protect enterprise applications and data in the cloud."

Gartner released the report "Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data" in June 2015 that highlighted key challenges as "cloud increases the risks of noncompliance through unapproved access and data breach." The report recommended CIOs and CISOs to address data residency and compliance issues by "applying encryption or tokenization," and to also "understand when data appears in clear text, where keys are made available and stored, and who has access to the keys." Example of solutions can be found in another Gartner report that concluded that "Cloud Data Protection Gateways" provides a "High Benefit Rating" and "offer a way to secure sensitive enterprise data and files stores of data and use cases.

Ulf Mattsson, CTO Protegrity
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5524
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via UPnP function.
CVE-2020-5525
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen.
CVE-2020-5533
PUBLISHED: 2020-02-21
Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2020-5534
PUBLISHED: 2020-02-21
Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors.
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.