Limited Visibility Security Growing Pains

With Cloud Maturity Comes Security Growing Pains

In battle things happen fast. Environmental conditions change, targets change, and throughout the fight, the capabilities of the various sides change. It can all happen so quickly that it’s difficult for decision makers on the ground to know what is going on without accurate, near instantaneous updates.

Without such updates, visibility into the fight becomes nearly nil and decision making not only becomes difficult but treacherous.

Securing cloud environments, albeit with generally much less dire consequences, can be similar. For security and compliance professionals to be able to properly respond to attacks and the ever-changing conditions of both their environment and adversarial tactics. To succeed, up to the minute visibility is essential.

And it just so happens that visibility into cloud infrastructure operations is one of the most sought after capabilities among those who are embracing cloud for increasingly business critical and data-sensitive applications.

According to a recent survey of more than 2,200 global cybersecurity professionals, among the more than 300,000 members of the Information Security Community on LinkedIn, gaining visibility into cloud infrastructure was cited as the, relative to other concerns, most painful security management headache for 37% of respondents. Visibility was ranked as the second concern in the study conducted a year ago. This year attaining compliance came in second (36%) and then establishing and maintaining consistent security policies ranked third at 33%.

The survey was sponsored by Evident.io, among other security vendors, and it found, not surprisingly, respondents view security as the top barrier to cloud adoption. It also found (and also not surprisingly) that legacy (to cloud) security tools don’t get the job done in cloud environments.

Of course, none of this is slowing cloud adoption. The survey states that cloud investment, overall, continues to grow over 20% annually “as organizations are looking for faster time to deployment, scalability, reduced maintenance, and lower cost.” And according to research firm Gartner, the IaaS segment alone is projected to grow 36.8 percent and reach $34.6 billion this year.

Key cloud security trends highlighted in the study include:

  • Security concerns top the list of barriers to cloud adoption led by general security concerns (53 percent, up from 45 percent in last year’s survey), legal and regulatory compliance concerns (42 percent, up from 29 percent), and data loss and leakage risks (40 percent). The rise in specific concerns about compliance and integration suggests that companies are moving from theoretical exploration of cloud models to actual implementation.
  • Unauthorized access through misuse of employee credentials and improper access controls is the single b iggest threat (53 percent) to cloud security. This is followed by hijacking of accounts (44 percent) and insecure interfaces/APIs (39 percent). One in three organizations say external sharing of sensitive information is the biggest security threat.
  • The vast majority (84 percent) of respondents are dissatisfied with traditional security tools when applied to cloud infrastructure. Respondents say traditional network security tools are somewhat ineffective (48 percent), completely ineffective (11 percent), or can’t be measured for effectiveness (25 percent) in cloud environments.
  • The top three security headaches for organizations moving to the cloud include the following use cases: verifying security policies (51 percent), visibility (49 percent), and compliance (37 percent). These results suggest that companies are further along in implementation of cloud models compared with last year and are looking for security solutions that enhance the capabilities provided by service providers.
  • Organizations moving to the cloud have a variety of choices available to strengthen cloud security. 61% of organizations plan to train and certify existing IT staff, 45% partner with a managed security services provider, and 42% deploy additional security software to protect data and applications in the cloud.

There are a number of interesting findings here. The spike in regulatory compliance concerns shows, as the report states, that companies are moving from theoretical exploration of cloud models to actual implementation. But it also means, in my view, that more companies are moving from non-production and non-critical app and data to more confidential information and business-critical applications, as well as information that falls under regulatory compliance efforts.

The survey also shows, with a resounding majority dissatisfied with traditional security tools, what many of us have suspected for a while: security vendors that try to retool security applications that were built for legacy environments won’t fare well in the long run. And in that long run, organizations will select those vendors that provide the security controls – and visibility – that are designed for cloud and then actually clear the fog.

You can find the complete cloud security report here.

About George Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. For five years, Hulme served as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

More posts by George

Tags: , ,