Businesses are increasingly reliant on cloud-native applications despite the strong, broad perception that use of the cloud will drive security risks. So, where are the security gaps and which issues are top of mind?
The data comes from "The State of Cloud Native Security," a new study sponsored by Capsule8, Duo Security, and Signal Sciences. Researchers polled 486 senior-level decision makers and security pros from companies generating at least $250 million (50%) or at least $1 billion (50%) in revenue across eight industries, including financial services, tech, education, retail, government, nonprofits, manufacturing, and transportation.
They found 62% of companies rely on cloud-native applications (CNAs) for more than half of their apps, a figure predicted to hit 80% over the next three years. More than half of respondents believe CNAs increase their risk and view security as a barrier for adoption.
Visibility into cyberattacks is one security concern at top of mind: 73% of respondents say they lack actionable insight into threats and ongoing attacks. At a network level, poor visibility leads to spurious alerts, explains Capsule8 CEO John Viega. And as cyberattacks increase, so does the rise of security notifications: Only about one-third of businesses surveyed could addresses more than 75% of alerts their company receives.
False positives are another key issue plaguing IT and security environments: 46% of respondents say more than half of production environment alerts were false positives. Poor analytics is the top driver of false positives, according to nearly half of security and IT experts polled.
Employees in more traditional environments "throw algorithms at the problem" and try to gather and process more data as a means of improving threat detection, Viega explains.
However, in a cloud-native environment, "we're finding the biggest wins come from first improving the quality of the data before you improve the algorithms," he says. Instead of evaluating massive amounts of traffic at high speed, companies using CNAs have access to the cloud provider's API and can analyze data in a way that won't affect system performance.
As cloud infrastructure and applications take on a bigger role in production environments, security becomes a greater priority. The biggest concerns here are malware on servers (32%), targeted attacks from known threat actors (17%), and zero-day attacks (12%).
Nearly half (48%) of respondents say an attack has done damage to production environments, resulting in system damage (48%), loss of customer data (44%), and loss of financial data (31%).
Motivating the Move to Cloud
Researchers pointed to three primary drivers for the move to cloud-native apps: nearly 40% of respondents say they're "modernizing the most critical parts of the business." Thirty-one percent cite new software development, stating this is the way software is built now, and 29% report operational cost savings.
The larger the organization, the more likely it will rely on cloud-native apps for new deployments. For example, 55% of companies with $250 million to $499 million in revenue have most of their new apps running as cloud native. That number jumps to 60% for companies with $500 million to $999 million in revenue, 63% for those with $1 billion to $4.9 billion in revenue, and 71% for those with $5 billion to $9.9 billion in revenue.
However, that's where things take a turn. Businesses with more than $20 billion in annual revenue are "a bit more on the conservative side," experts report. Only 61% deploy more than half of their applications as cloud native; 23% use less than a quarter cloud-native apps.
CNA usage also varies by industry. Government institutions, for example, are least likely to extensively use them, and only 46% report the majority of their new apps are native to the cloud. On the other side of the spectrum are education, which reports 70% reliance on CNAs, along with financial services and technology (67% each), and 65% of retail companies.
"The people who are leading are not regulated and build a lot of software," Viega points out, using media companies and tech companies that grew up in the cloud as examples. Businesses in regulated environments tend to move less mission-critical applications to the cloud first.
"For a large financial institution, the consumer-facing platform might be one of the last things to go because that will get a tremendous amount of oversight," he says as an example.
Companies polled experienced at least twice as many cyberattacks this year compared with last year, researchers found. Viega says the increase isn't necessarily due to cloud.
"In many respects, the bad guys are the same and using the same techniques," he explains. Fifteen years ago, applications were made up of 90% custom code and 10% open source — today, it's about 80% to 90% open source and a little bit of custom code. This "definitely changes the equation a bit," he adds, as it gives the attacker more visibility into what he might exploit, regardless of whether an application is running in the cloud or not.
He advises companies to rethink security as they adopt cloud and not to "lift and shift" the way they do security in their traditional environments. You'll find it doesn't give scalability and cost-effectiveness, he says. In fact, fitting "a square peg in a round hole" can worsen security.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.