Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

More Than Half of Security Pros Say Risks Higher in Cloud Than On Premise

Report shows that forty-five percent of companies have had four or more cloud incidents in the last year

Report shows that forty-five percent of companies have had four or more cloud incidents in the last year

A recent survey from machine identity solutions provider Venafi aimed to explore the complexity of cloud environments and the resulting impact on cybersecurity

Venafi surveyed 1,101 security decision makers (SDMs) in firms with more than 1,000 employees and found that eighty-one percent of companies have experienced a cloud security incident in the last year. Forty-five percent have suffered at least four security incidents in the same period. More than half of security decision makers believe that security risks are higher in the cloud than on-premise.

Twenty-four percent of the firms have more than 10,000 employees. Ninety-two percent of the SDMs are at manager level or above, with 49% at c-suite level or higher.

Most of the firms surveyed believe the underlying issue is the increasing complexity of their cloud deployments. Since these companies already host 41% of their applications in the cloud, and expect to increase this to 57% over the next 18 months, the problem is only likely to worsen in the future. 

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, believes, “The ripest target of attack in the cloud is identity management, especially machine identities. Each of these cloud services, containers, Kubernetes clusters and microservices need an authenticated machine identity – such as a TLS certificate – to communicate securely. If any of these identities is compromised or misconfigured, it dramatically increases security and operational risks.”

Respondents reported that the most common cloud incidents are security incidents during runtime (34%), unauthorized access (33%), misconfigurations (32%), vulnerabilities that have not been remediated (24%), and failed audits (19%).

Their primary operational concerns are hijacking of accounts, services or traffic (35%), malware or ransomware (31%), privacy/data access issues, such as those from GDPR (31%), unauthorized access (28%), and nation state attacks (26%).

Advertisement. Scroll to continue reading.

The real problem lies with the often-difficult relationship between developers and security teams. Developers are required to work at speed, and security teams often have little visibility into their work. Containers are now the primary machine context in cloud native systems, using resources that don’t need to be hosted in a single location.

“This means container security is formulated around what development teams and operations teams regard as best practice,” reports Venafi in an associated blog, “and yet this will not always align with conventional enterprise security policy.”

The survey also looked at who currently has responsibility for securing cloud-based applications. Enterprise security teams, at 25%, are the most likely to manage app security in the cloud. This is followed by operations teams responsible for cloud infrastructure (23%), a collaborative effort shared between multiple teams (22%), developers writing cloud applications (16%) and DevSecOps teams (10%).

However, the sheer quantity of continuing security incidents suggests that none of these approaches is fully adequate. Venafi also asked the respondents who they thought should be responsible for cloud-based app security – and again, there is no single view. Twenty-four percent of respondents believe it should be shared between cloud infrastructure operations teams and enterprise security teams, 22% believe it should be shared across multiple teams, 16% believe responsibility should be down to the developers writing the cloud applications, and 14% think it should be the responsibility of the DevSecOps teams.

Sharing responsibility between different teams is often inefficient because each team has different priorities and objectives. “Security teams want to collaborate and share responsibility with the developers who are cloud experts, but all too often they’re left out of cloud security decisions,” says Bocek in the blog. “Developers are making cloud native tooling and architecture decisions that decide approaches to security without involving security teams. And we can already see the results of that approach: security incidents in the cloud are rapidly growing.”

His, and Venafi’s solution is to implement a control plane for machine identity. He calls it, “A perfect example of a new security model created specifically for cloud computing. This approach embeds security into developer processes and allows security teams to protect the business without slowing down engineers.” 

Related: Venafi Becomes Unicorn After Investment From Thoma Bravo

Related: Security Pros Believe Cybersecurity Now Aligned With Cyberwar

Related: Mismanagement of Device Identities Could Cost Businesses Billions: Report

Related: Clinton Email Server Vulnerable for 3 Months: Venafi

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.