After more than a decade of employing cloud resources to varying degrees, IT organizations are still struggling with security issues. A survey of 400 senior IT professionals published by Aptum, a provider of IT services, finds 85% of respondents lack a clear mechanism to detect and respond to threats across all cloud environments.
Less surprisingly, 82% of respondents cited access management to multiple cloud environments as a barrier to security, governance, and compliance, while 81% identified the lack of visibility into all cloud environments through a single portal as a barrier.
The paradox surfaced by the survey is that more than half the survey respondents (51%) said they also viewed security as the main driver for moving to the cloud. While that may seem somewhat counterintuitive, the fact remains that most on-premises IT environments are not all that secure. In fact, the infrastructure managed by a cloud service provider is usually a lot more secure.
Where things get complicated is around the shared security model that cloud service providers require organizations to buy into. The basic idea is that organizations are responsible for securing their applications and making sure all the cloud services they employ are properly configured. The trouble is most organizations are still unclear on the concept. A recent survey of 750 IT professionals conducted by Oracle and KPMG finds only 8% said they fully understand the shared security model.
Unfortunately, things may get worse before they get anywhere near being better. Application workloads were migrating to the cloud at a steady clip long before the COVID-19 pandemic. The level of adoption has increased dramatically as organizations increasingly appreciated the simple fact cloud applications are easier to build, deploy and manage at a time when most IT teams are required to work from home as much as possible. As the rate of adoption has increased so too has the number of cloud platforms being employed. The attack surface that needs to be defended continues to expand unabated.
More challenging still, cloud computing platforms are becoming more complex by the day. Developers are making use of a wide range of cloud-native technologies such as containers, Kubernetes, and serverless computing frameworks to build applications based on microservices applications. In theory, these applications are more secure because it’s simpler to rip and replace a microservice that might contain a vulnerability. In practice, the level of dependencies that can exist between microservices requires IT teams to make sure malware isn’t able to move laterally in the event one microservice is compromised. In effect, microservices-based applications are not more secure. They are simply insecure in a different way than a traditional monolithic application.
Of course, there’s no stopping the transition to the cloud. The challenge cybersecurity teams are all facing now is acquiring the requisite skills and expertise required to secure these environments. Hopefully, as organizations embrace best DevSecOps practices, cybersecurity teams will be able to count on more help from developers. Right now, however, it’s those very same developers that are creating the misconfiguration of cloud services that are at the root of most cloud security issues.
Whatever the outcome it’s apparent the current status quo when it comes to cloud security can not hold. One way or another something will have to give, hopefully for the better, sometime soon.