Building a hybrid cloud environment can provide a host of benefits for organizations, including a level of flexibility and agility not possible with a traditional on-premise data center infrastructure. But it can also create complexities that can lead to increased risk for enterprises.
As noted in a December 2018 document released by the Cloud Security Alliance (CSA), a not-for-profit organization dedicated to defining and raising awareness of best practices for secure cloud computing, and the National Technology Security Coalition (NTSC), a non-profit organization that advocates for information security executives, cloud computing has rapidly gained traction as a significant and even default IT environment for many different organizations.
“For some, cloud has become the foundation for digital transformation, leading to a rapid acceleration in the use of this technology and highly dynamic, software-defined configurations,” the report said. “In such a dynamic environment, cyber security is paramount—especially with third parties that provide cloud or cloud-based services to companies. This new era of technology dependence on cloud has placed enormous strain on how IT is governed, regulated, and secured.”
Contemplating the numerous threats to an organization’s technology assets quickly becomes overwhelming, the study said. To respond, technology and business leaders try to enumerate and manage risk.
But developing a comprehensive IT risk management program often eludes and remains beyond the reach of many organizations, the report said. Pressure to more quickly deliver products to market, along with navigating the complexities of conducting assessments and remediation work, makes comprehensive risk management difficult.
A study by marketing services company Informa Engage and cloud security provider Alcide released in late 2018 analyzes the increased complexity and uncertainty of the hybrid cloud.
The report, based on a survey of 450 DevOps, IT, and security professionals across a variety of cloud-native organizations conducted in August 2018, shows that one third of the organizations are using more than five security tools, with multiple application policy configurations and multiple individuals to control these increasingly complex distributed environments.
Cloud complexity and distribution is increasing, the report said, with new cloud environments and workloads penetrating the market. While virtual machines (VMs) remain the most common cloud environment (cited by 83% of the respondents), containers (37%), serverless (28%), bare metal (25%) and service mesh (21%) are gaining traction, equally becoming more widely used as environments diversify.
While only a small number of organizations are currently running exclusively in the public cloud (8%) or on-premise (16%), hybrid and multi-cloud approaches now make up more than three-quarters of all configurations at organizations (77%).
Cloud security ownership is becoming more integrated across teams, the report said, creating added complexity and uncertainty around security responsibilities. Fewer than half of the organizations surveyed (45%) now have a dedicated security team responsible for the cloud.
About one third of all organizations (35%) now use either a DevOps team or dedicated DevSecOps team for security. Fewer (20%) are using an alternative approach to cloud security or simply do not know who is specifically responsible for cloud security.
Also adding to the complexity of cloud security is the fact that the number of tools used to secure cloud environments is increasing. One-third of organizations are now using more than five tools for cloud security. A majority of organizations (75%) expect to increase the number of tools in use over the next 12 months, and none of them plan to reduce the number.
Even with the large number of security tools currently in use, most organizations are still relying on manual policy configurations for applications, and multiple individuals to set the rules. More than half of organizations (60%) rely on manual configurations of security policies, and nearly all (90%) rely on multiple individuals to configure and set policy rules.
Organizations continue to rely on new workloads such as serverless, despite a lack of confidence and experience in these environments. One third of respondents (32%) already using serverless openly express a lack of confidence in the security of their environments. And despite some security concerns, the majority of serverless users (57%) are currently running it in both production and development.
Over the next year there will be a major increase in serverless adoption, and potentially confidence will rise as organizations familiarize themselves with this new type of workload, the report said.
As for steps companies can take to bolster cloud security, the CSA recommends that businesses reduce their reliance on proprietary, in-house security assessment programs related to cloud computing. Instead, they should leverage the organization’s Security, Trust & Assurance Registry (STAR) program and its associated assurance tools as core components of vetting and procuring cloud providers and services.