Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/18/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Security Costs of Cloud-Native Applications

More than 60% of organizations report the bulk of new applications are built in the cloud. What does this mean for security?

Businesses are increasingly reliant on cloud-native applications despite the strong, broad perception that use of the cloud will drive security risks. So, where are the security gaps and which issues are top of mind?

The data comes from "The State of Cloud Native Security," a new study sponsored by Capsule8, Duo Security, and Signal Sciences. Researchers polled 486 senior-level decision makers and security pros from companies generating at least $250 million (50%) or at least $1 billion (50%) in revenue across eight industries, including financial services, tech, education, retail, government, nonprofits, manufacturing, and transportation.

They found 62% of companies rely on cloud-native applications (CNAs) for more than half of their apps, a figure predicted to hit 80% over the next three years. More than half of respondents believe CNAs increase their risk and view security as a barrier for adoption.

Visibility into cyberattacks is one security concern at top of mind: 73% of respondents say they lack actionable insight into threats and ongoing attacks. At a network level, poor visibility leads to spurious alerts, explains Capsule8 CEO John Viega. And as cyberattacks increase, so does the rise of security notifications: Only about one-third of businesses surveyed could addresses more than 75% of alerts their company receives.

False positives are another key issue plaguing IT and security environments: 46% of respondents say more than half of production environment alerts were false positives. Poor analytics is the top driver of false positives, according to nearly half of security and IT experts polled.

Employees in more traditional environments "throw algorithms at the problem" and try to gather and process more data as a means of improving threat detection, Viega explains.

However, in a cloud-native environment, "we're finding the biggest wins come from first improving the quality of the data before you improve the algorithms," he says. Instead of evaluating massive amounts of traffic at high speed, companies using CNAs have access to the cloud provider's API and can analyze data in a way that won't affect system performance.

As cloud infrastructure and applications take on a bigger role in production environments, security becomes a greater priority. The biggest concerns here are malware on servers (32%), targeted attacks from known threat actors (17%), and zero-day attacks (12%).

Nearly half (48%) of respondents say an attack has done damage to production environments, resulting in system damage (48%), loss of customer data (44%), and loss of financial data (31%).

Motivating the Move to Cloud
Researchers pointed to three primary drivers for the move to cloud-native apps: nearly 40% of respondents say they're "modernizing the most critical parts of the business." Thirty-one percent cite new software development, stating this is the way software is built now, and 29% report operational cost savings.

The larger the organization, the more likely it will rely on cloud-native apps for new deployments. For example, 55% of companies with $250 million to $499 million in revenue have most of their new apps running as cloud native. That number jumps to 60% for companies with $500 million to $999 million in revenue, 63% for those with $1 billion to $4.9 billion in revenue, and 71% for those with $5 billion to $9.9 billion in revenue.

However, that's where things take a turn. Businesses with more than $20 billion in annual revenue are "a bit more on the conservative side," experts report. Only 61% deploy more than half of their applications as cloud native; 23% use less than a quarter cloud-native apps.

CNA usage also varies by industry. Government institutions, for example, are least likely to extensively use them, and only 46% report the majority of their new apps are native to the cloud. On the other side of the spectrum are education, which reports 70% reliance on CNAs, along with financial services and technology (67% each), and 65% of retail companies.

"The people who are leading are not regulated and build a lot of software," Viega points out, using media companies and tech companies that grew up in the cloud as examples. Businesses in regulated environments tend to move less mission-critical applications to the cloud first.

"For a large financial institution, the consumer-facing platform might be one of the last things to go because that will get a tremendous amount of oversight," he says as an example.

Rethinking Security
Companies polled experienced at least twice as many cyberattacks this year compared with last year, researchers found. Viega says the increase isn't necessarily due to cloud.

"In many respects, the bad guys are the same and using the same techniques," he explains. Fifteen years ago, applications were made up of 90% custom code and 10% open source — today, it's about 80% to 90% open source and a little bit of custom code. This "definitely changes the equation a bit," he adds, as it gives the attacker more visibility into what he might exploit, regardless of whether an application is running in the cloud or not.

He advises companies to rethink security as they adopt cloud and not to "lift and shift" the way they do security in their traditional environments. You'll find it doesn't give scalability and cost-effectiveness, he says. In fact, fitting "a square peg in a round hole" can worsen security.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28488
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...