While the early promises in the move to cloud computing promised to simplify cloud management and security, and in many ways these promises have been kept. However, in other ways, cloud environments have increased security complexity. In fact, according to a recent survey, 84% of security professionals report that their organizations struggle to maintain secure cloud configurations.
During the Black Hat USA 2019 conference, security firm Tripwire surveyed 150 attendees about their views toward enterprise cloud security.
The survey found respondents believe cloud environment complexity is hindering their ability to effectively manage security. In fact, 35% of respondents said it was very easy to accidently expose data publicly through the cloud and 40% said it was “somewhat easy.” About 25% said it was not easy.
History would prove this out. Unsecured clouds have accounted for millions of breached records. There have been plenty of examples this year, perhaps the most notorious being the Capital One breach that affected over 100 million. As independent journalist Brian Krebs reported, the exposed data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers for Canadian credit card customers.
Last year stories broke of military contractor files left online and unsecured. In 2017, Verizon exposed millions of customer records due to an unprotected S3 bucket. Dow Jones experienced a similar situation. And throughout 2016 and 2017 we saw numerous poorly configured cloud-based databases being breached.
The vast majority of those breaches were caused by cloud misconfigurations. According to Tripwire’s survey, 84% of respondents find it difficult to maintain secure configurations across cloud services, and 17% said it was “very difficult.”
The hybrid nature of enterprise cloud environments is also contributing to the complexity. Enterprises not only have applications and data within on-premise and cloud systems, they have various types of cloud services from multiple cloud services providers, whether public and private clouds, public cloud services, and software as a service and platform as a service cloud services. That’s a mouthful of services to write, let alone manage.
Interestingly, the Tripwire survey found that 77% of respondent organizations manage 10 percent or more of their workloads in the cloud. Only 13% are managing three-fourths of their organization’s workload in the cloud, and about half of respondents said that more than 50% of their organization’s workloads are in the cloud. There wasn’t information released about the size of respondent enterprises, so it is difficult to determine value of these specific findings. One could assume the percentage of cloud workloads would be a function of enterprise size, age, and type of business.
The report found that SaaS was the most used cloud service, with 70% of respondents using SaaS to some degree.
Also of note, 73% of industry respondents said the Shared Responsibility Model (link to blog) for security responsibilities between them and their cloud provider ranged from “not clear” (28%) to “somewhat clear” (45%).
Perhaps what was most surprising aspect to me isn’t that cloud environments can be complex to secure and manage, or that there is confusion at times where the enterprise’s security responsibility ends and that of the cloud provider begins — or that configuration management is proving to be challenging. It’s that so few, despite being aware of all of that, are taking constructive action about it. Only 54% of respondents said that they had cloud configuration management in place at the time of the survey.
These findings resonate with a recent report from the Cloud Security Alliance, The Cloud Security Alliance’s Top Threats to Cloud Computing. That report found misconfiguration and inadequate change control to be among the top concerns.
There’s no shortage of quality materials designed to help organizations to better secure their cloud services. One place to start is Version 7 of the Center for Internet Security Controls Cloud Companion Guide.
The CIS are guidelines that help organizations to build a set of practices that aim to provide a defense-in-depth that will mitigate the risks of common attacks that target enterprises. CIS describes the controls as being developed by: a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls come from a wide range of sectors including, retail, manufacturing, healthcare, education, government, defense, and others.
There’s also the U.S.’s NIST Cloud Security Automation Framework, which provides guidance on automating security configurations in the cloud. Within Europe, there the European Union Agency for Cybersecurity’s Cloud Security Working Group, which also publishes lots of insight on how to keep clouds secure.
It’s not as if organizations are not aware of these challenges. About a year ago, Ericka Chickowski covered in Cloud Security Rises to Top of 2019 Cybersecurity Budget Priorities a report from Threat Stack found that cloud workload security topped the list of allocations for this year's cybersecurity spending initiatives. And it beat out IDS/IPS, security information and event management systems, security awareness training, and endpoint protection. “Meantime, Gartner's worldwide security spending projections for next year show a blazing hot growth rate for cloud security. Analysts with the firm expect the category to grow by 51% in 2019, more than five times the 9% rate of growth expected for the overall security market,” she wrote.
We can hope those investments have been made, and in future years we won’t read about surveys about the vast majority of organizations straining to maintain their clouds securely.