Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/19/2015
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Enterprises Are Leaving Cloud Security Policies To Chance

Only a third have a strategy for securing a mix of different data center and cloud deployment scenarios.

As the lines blur between data center and cloud provider facility, very few organizations are keeping up with policies and technology geared to handle the shift to dynamic data centers, reports a new study out by the SANS Institute last week. The report shows that even at the most basic level, planning is scarce: fewer than a third of organizations have a strategy in place to tailor security requirements to the mix of environments they use.

“Security teams need to do a lot of thinking to keep up with the rapid diversification
 of enterprise computing into a variety of private, public, cloud and traditional environments,” says Dave Shackleford, SANS analyst and author of the report. “Teams that are ahead of the game have already developed strategies describing how traditional and cloud computing models fit together, typically outlining what data or other assets can go to which type of external provider and what conditions should be placed on providers of different types or security levels.”

Commissioned by Illumio, the survey polled over 400 organizations to get the full picture on the state of security in today’s environments. As things stand, over half of organizations surveyed utilize Infrastructure-as-a-Service (IaaS) and almost a third use Platform-as-a-Service. While most of these services operate under a shared responsibility model that requires users to protect environments contained within, the truth is that the amount of security technology used within the cloud remains low compared to similar assets on premise; in most major categories it is half or less.

For example, while 75 percent of organizations utilize identity and access management tools on premises, only 31 percent use it in the cloud. And while 63 percent of organizations use a SIEM to track security events across traditional data center assets, just 25 percent do the same with cloud assets.

“This seeming reduction in use of security tools is a huge issue for many organizations today, given the fact that many public cloud providers don’t currently offer or support many security tools considered standard by most security teams,” Shackleford says. “While some cloud providers do have security offerings available, they fall far short of the security stack used by most survey respondents.”

Of course, that may not completely be the fault of the organizations themselves. Two of the biggest challenges cited by respondents in setting up security in the cloud was visibility into cloud provider practices and cooperation from cloud providers in supporting the customers’ security technology.

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
10/20/2015 | 3:42:41 PM
A growing issue
I find it concerning that "fewer than a third of organizations have a strategy in place to tailor security requirements to the mix of environments they use," and I agree that "Security teams need to do a lot of thinking to keep up with the rapid diversification
 of enterprise computing into a variety of private, public, cloud and traditional environments." I think it is critical to be able to manage the security policy from a single, central command, to secure big data, databases, cloud applications, file servers, applications and more.

Cloud is a particular concern and the Ponemon study "The State of Data Security Intelligence," reported that "Data that is outsourced to cloud is the biggest worry." Another Ponemon study reported that "Less than four in 10 leverage security tools to protect enterprise applications and data in the cloud."

Gartner released the report "Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data" in June 2015 that highlighted key challenges as "cloud increases the risks of noncompliance through unapproved access and data breach." The report recommended CIOs and CISOs to address data residency and compliance issues by "applying encryption or tokenization," and to also "understand when data appears in clear text, where keys are made available and stored, and who has access to the keys." Example of solutions can be found in another Gartner report that concluded that "Cloud Data Protection Gateways" provides a "High Benefit Rating" and "offer a way to secure sensitive enterprise data and files stores of data and use cases.

Ulf Mattsson, CTO Protegrity
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CVE-2019-14678
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...