Recent forecasts from Gartner show that the public cloud will attract more than half of the global enterprise IT spending by 2025. Gartner says there’s a “cloud shift” coming and all enterprise IT categories which are able to be in the cloud will make that transition.
But, there’s an issue. A separate report by Confluera says that 66% of IT professionals say that cloud adoption is the biggest contributor to their IT security workload. This means that there are plenty of security challenges associated with the cloud, which hamper its growth, and 63% say that cyberthreats are their main obstacle regarding their cloud adoption strategies.
But wait… Wasn’t the cloud supposed to be more secure? Well, it is, but that doesn’t mean it is without its fair share of issues. Now, the scale and seriousness of these issues is a dividing topic. For some, it’s nothing major, but for others, it’s a big problem.
Is everything in the cloud broken?
Recently the director of Thought Leadership in Sysdig, Anna Belak, made quite the polarizing post. On DarkReading she wrote an article asking: “If the cloud is more secure, then why is everything still broken?”
Belak argues that 75% of running containers in the cloud have high or critical vulnerabilities. Most of them have available patches, but they aren’t applied. This is an issue that has plagued the IT world for decades – admins not “admiring” and leaving lots of unpatched vulnerabilities. The cloud was supposed to help solve this issue and it does to a point, but there’s still a lot of “bringing bad habits to the cloud,” says Belak.
She argues that one of the reasons is wrong expectations. Companies migrate to the cloud expecting that everything will sort itself out. After all automated features, ease of maintenance, and increased security are the cloud’s key selling points, right? In reality, companies still have a lot of work to do when it comes to the cloud maintenance. Often they neglect that fact.
Cloud migration does not magically modernize workloads or the processes around them, and security is no exception. In fact, security is often the last thing we want to address because it tends to slow down everything else.Anna Belak, Director of Thought Leadership in Sysdig
Sysdig’s data shows that 48% of organizations don’t have multifactor authentication enabled even on their root user, whilst 27% of them use the same account for regular administrative tasks, further increasing the risks. The sad reality is that this has nothing to do with the cloud. It’s all up to the users to implement these features. Even sadder, when there’s a security incident, people would blame the cloud for it for “not being secure enough” when in reality it’s all due to the way it’s being used.
It’s all about the approach
Balek notes that transformation is a complex process and takes time. It’s best done in phases. For example, 48% of images are scanned for vulnerabilities before they are deployed, but 52% are scanned afterwards, creating a delay in the discovery of vulnerabilities, giving hackers additional opportunities.
There are two main reasons for that. One is that many organizations still neglect security and pay attention to it at a later phase of their development process. Whereas instead, they should transition to a process where security is in the main pipeline during development. Yes, this will potentially delay the entire completion of the project, but it will also result in a much better secured product which will be a longer term benefit to everyone.
Another reason is that a lot of cloud components are coded by third parties, e.g Kubernetes, Web servers, etc. These are items that organizations feel are already checked and are usually deployed at a later stage. As a result, any potential issues within them will linger for longer or may remain unnoticed. And then there’s the good old “not my job” thought. If the third party hasn’t done a proper job with their component, any issue will fall on them, so why bother? Well, because your business will also suffer if there’s a breach.
There’s also the thought of “you can’t prevent this and you can’t fix all vulnerabilities”. Yes, but you can for sure minimize them. If we accept that 75% of containers right now run with serious vulnerabilities and we take this down to 45% that’s still a lot, but substantially better than what it was.
We also have to consider that the cloud will continue to grow no matter what. The cloud is not going anywhere – so, if we already have billions of cloud containers running daily, imagine what is going to be like in five years. Therefore, vulnerability scans, detection, mitigation, and documentation will be critical and should be a regular, automated process. It’s a lot – but it’s definitely manageable.
Or is it?
Coming back to Confluera’s survey, 97% of IT security processionals have said their cloud strategy includes the expansion of cloud deployments. This means not only in scale, but across several cloud platforms. Thus, the multi-cloud approach is shaping up to be a major trend among organizations.
As noted, 63% of IT professionals say that cyberthreats are the top obstacle for cloud adoption. When it comes to a multi-cloud adoption, then 69% of IT professionals note there’s a need for consistent security across all cloud platforms. In short, they want a way to easily tackle all security issues and features across the multi-cloud platforms they might be using.
Currently, a lot of organizations feel overwhelmed by all the risks, false alerts, and other issues they must tackle. This results in “alert fatigue” which increases the risk of neglecting actual issues. Despite that, organizations want to accelerate their cloud adoption and include the multi-cloud approach, too. It’s becoming apparent that they will need some extra help to do so. This may come in the form of better interoperability between cloud platforms and/or via new services that will improve overall cloud security; there are some interesting opportunities shaping up.
You don’t have to wait
With that being said, you should not wait for such a service to pop up to start improving your cloud security. There are several things you can do right now, says David Puzas, product marketing leader for Cloud Security at CrowdStrike. In an opinion piece for DARKReading he notes that “traditional security tools fail, and they haven’t kept up with the new ways of work.”
One of the reasons is that they are very focused on specific tasks within a specific environment, but when we have a shift towards a multi-cloud, these tools will experience issues with their effectiveness. Add the aforementioned increase in vulnerable workloads and cloud items and you can’t really blame the traditional tools for not managing it all. In fact, they are still doing a surprisingly good job considering the overall picture.
Right now, securing on-premises systems may seem an easier option, especially since there are so many tools available for that. Most of these tools can’t really scale up properly for a multi-cloud environment, notes Puzas. Instead, focus shifts to patchwork solutions, and while decentralization is generally viewed as a good thing in IT, when it comes to security, that’s not always the case.
But fret not. Organizations still have options, says Puzas. He points to adopting an adversary-focused approach. The main goal here is to keep in tune with the tools crooks use in these multi-cloud and hybrid environments. When the organization follows these developments, it can be better at securing its cloud environment and be more proactive.
Puzas also notes that this adversary-focused approach features three main areas for organizations to put additional effort in. The first one is visibility. This means organizations spending the needed time and effort to discover how many cloud assets they have and where they reside. This will allow security teams to discover new environments, and be on the lookout for potential vulnerabilities at less-than-expected places, etc. The teams will also be able to deliver vulnerability assessments and find potential issues, weak links, and even unneeded cloud resources and assets that can be either removed or optimized. This will result in a better overall security and performance of the cloud environment of the given organization.
Next up – basic cloud hygiene. This one is a continuation of the visibility vector. Delegate tasks better, talk with your cloud vendor about what part of the security is covered by them, what else they could help you out with and what you need to tackle yourself. Knowing who takes care of what will be highly beneficial. Also, access management to make specific accounts with permissions for their defined needs. Yes, it’s easier to simply do it from a root account, but just imagine the risks if it gets compromised. It is much safer to use accounts which allow access only to certain features and areas depending on what the given user needs. Here we should also add multifactor authentication, regular updates for components, etc. Even additional employee security training will be of benefit eventually.
Onto the third vector – automation. Use automation services to your benefit – not just for regular tasks. There are increasingly more automated security features coming up for cloud environments. They are an absolute must as the cloud is expanding and as such, possible attack surfaces are too, notes Puzas. So, employ automation for security at the very least to monitor the environment and explore the possibilities for automated responses, too.
The shift to the cloud has only accelerated over the past two years due to COVID-19, as organizations responded to a new business and social dynamic. Technology and service providers that fail to adapt to the pace of cloud shift face increasing risk of becoming obsolete or, at best, being relegated to low-growth markets.Michael Warrilow, Research Vice President at Gartner
The same goes for cloud security: Don’t neglect it and don’t view it as scary or complex. Research and adapt. As you do so, you will discover even more ways to get the most out of the cloud. You will also see that the cloud isn’t broken, but just requires some care and attention.
Another article you might like: