The cloud offers businesses accessibility and scalability but those very benefits make security a prime concern.
Securing data in the cloud is very different to on-prem, as many of those who have migrated their data and sought to do the same with their security solutions have found out. According to the Cloud Security Report 2022 from ISC(2), 78 percent of respondents said traditional security solutions don’t work or have limited functionality in the cloud.
The same report determined that 76 percent of organisations are now using two or more Cloud Service Providers (CSPs) and 72 percent have a hybrid or multi-cloud strategy. There’s also been a proliferation in the number of platforms being used, with 90 percent using three or more while 17 percent are using eight or more, leading to ‘cloud sprawl’. Many are now confident enough to entrust the cloud with business-critical functions, with 66 percent of those surveyed in Splunk’s The State of Security 2022 report saying their business-critical apps are now cloud-hosted, up by a whopping 25 percent from a year ago.
Yet security is still a secondary consideration during this rapid expansion. As Splunk’s Ryan Kovar puts it: “Three years ago, I was hearing ‘Wait, I have to monitor the cloud?’ Now its ‘Of course, I have to monitor the cloud. But how?’ He suggests security teams are only now “figuring out the scope of their security challenges” as deployments mature. Unfortunately, in the interim, the number of organisations that are falling victim to attacks or who are found to be non-compliant with industry regulations, is on the rise.
The Thales Global Cloud Security Report 2022 found over a third of organisations (35 percent) have experienced a data breach or failed an audit involving data and applications in the cloud-based breach over the course of the past year. Nearly a third (32 percent) had to issue a breach notification to a government agency, customer, partner or employee, revealing that even those in highly regulated industries are being caught out. Respondents said that cyber-attacks are up, with web, cloud-delivered and cloud-hosted applications as well as cloud-based storage among the top targets.
Worryingly, Splunk’s findings were even more stark as it found almost half (49 percent) of businesses had suffered a data breach over the course of the past two years, up 10 percent from its previous survey, and that 40 percent had violated regulations. Consequently, security teams are coming under even more pressure. The report found that 59 percent of teams had to devote more time and resources to remediation, an increase of 17 percent over the year, while 44 percent reported disruption to the business and 44 percent saw the loss of sensitive data.
On the plus side, there’s now evidence of the market maturing. The Cloud Security Alliance (CSA) draws attention to the fact that there’s been a move away from the more generic security threats, risks and vulnerabilities. But that’s where the good news ends as these have been replaced in its latest Top Threats to Cloud Computing: The Pandemic 11 report by control plane weaknesses, metastructure and applistructure issues, as well as a lack of cloud visibility.
Topping the list are insufficient identity, credential, access and key management at #1 (up from #4 in the last report), revealing the need for cloud-tailored Identity and Access Management (IAM). Insecure interfaces and APIs came in at #2 (up from #7), indicating our growing dependency on APIs rather than web applications and the need to monitor and secure these. In third place were misconfiguration and inadequate change control (bumped down from #2 previously), which shows that organisations are still failing to properly deal with configuration and change management.
Where it’s going wrong
To counter this, organisations should look to improve cloud visibility through Cloud Security Posture Management (CSPM) and be more assertive over data security. The ‘shared responsibility model’ delineates responsibility to the CSP for infrastructure and to the business for the security of accounts and data, but the consensus is that many organisations are failing to keep up their end of the bargain by protecting their applications and data. It’s worth noting that CSP system vulnerabilities have now fallen off the CSA list, suggesting CSPs are honouring their part of the deal.
Interestingly, the Splunk report found it’s not the types of attack or their sophistication that are proving to be the problem but the scale and complexity involved. Just over a quarter (28 percent) said they were too busy fighting attacks to refine their security tools and processes to better address these threats, and 27 percent said they were overwhelmed by alerts. This suggests teams are so busy firefighting they’re unable to step back and reassess whether their tools are meeting their needs.
Breaking the cycle
So how can we make these statistics go down? Security teams know they need to do better. In The State of Cloud-Native Security 2022 by Palo Alto Networks, the 55 percent who regarded their organisation as having a weak security posture knew they needed to improve their multi-cloud visibility, governance across accounts and streamlining of incident response. DevSecOps integration and cloud security automation were also flagged as key to achieving a stronger security posture.
But organisations must fundamentally reassess their cyberstack and their approach to security in the cloud. They need to look at the preventative measures they can put in place to guard against misconfiguration, how they can protect the apps and services and every piece of data under their control, and improve visibility in the cloud through the use of observability.
To do that, they need to move away from traditional security solutions and embrace cloud-native tools that offer CSPM for cross-platform control, Cloud Infrastructure Entitlements Management (CIEM) for access control, Cloud Native Application Protection Platform (CNAPP) for the applistructure, and Cloud Workload Protection Platforms (CWPP) for the protection of workloads within the cloud