Security Experts:

More Than Half of Security Pros Say Risks Higher in Cloud Than On Premise

Report shows that forty-five percent of companies have had four or more cloud incidents in the last year

A recent survey from machine identity solutions provider Venafi aimed to explore the complexity of cloud environments and the resulting impact on cybersecurity

Venafi surveyed 1,101 security decision makers (SDMs) in firms with more than 1,000 employees and found that eighty-one percent of companies have experienced a cloud security incident in the last year. Forty-five percent have suffered at least four security incidents in the same period. More than half of security decision makers believe that security risks are higher in the cloud than on-premise.

Twenty-four percent of the firms have more than 10,000 employees. Ninety-two percent of the SDMs are at manager level or above, with 49% at c-suite level or higher.

Most of the firms surveyed believe the underlying issue is the increasing complexity of their cloud deployments. Since these companies already host 41% of their applications in the cloud, and expect to increase this to 57% over the next 18 months, the problem is only likely to worsen in the future. 

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, believes, “The ripest target of attack in the cloud is identity management, especially machine identities. Each of these cloud services, containers, Kubernetes clusters and microservices need an authenticated machine identity – such as a TLS certificate – to communicate securely. If any of these identities is compromised or misconfigured, it dramatically increases security and operational risks.”

Respondents reported that the most common cloud incidents are security incidents during runtime (34%), unauthorized access (33%), misconfigurations (32%), vulnerabilities that have not been remediated (24%), and failed audits (19%).

Their primary operational concerns are hijacking of accounts, services or traffic (35%), malware or ransomware (31%), privacy/data access issues, such as those from GDPR (31%), unauthorized access (28%), and nation state attacks (26%).

The real problem lies with the often-difficult relationship between developers and security teams. Developers are required to work at speed, and security teams often have little visibility into their work. Containers are now the primary machine context in cloud native systems, using resources that don’t need to be hosted in a single location.

“This means container security is formulated around what development teams and operations teams regard as best practice,” reports Venafi in an associated blog, “and yet this will not always align with conventional enterprise security policy.”

The survey also looked at who currently has responsibility for securing cloud-based applications. Enterprise security teams, at 25%, are the most likely to manage app security in the cloud. This is followed by operations teams responsible for cloud infrastructure (23%), a collaborative effort shared between multiple teams (22%), developers writing cloud applications (16%) and DevSecOps teams (10%).

However, the sheer quantity of continuing security incidents suggests that none of these approaches is fully adequate. Venafi also asked the respondents who they thought should be responsible for cloud-based app security – and again, there is no single view. Twenty-four percent of respondents believe it should be shared between cloud infrastructure operations teams and enterprise security teams, 22% believe it should be shared across multiple teams, 16% believe responsibility should be down to the developers writing the cloud applications, and 14% think it should be the responsibility of the DevSecOps teams.

Sharing responsibility between different teams is often inefficient because each team has different priorities and objectives. “Security teams want to collaborate and share responsibility with the developers who are cloud experts, but all too often they’re left out of cloud security decisions,” says Bocek in the blog. “Developers are making cloud native tooling and architecture decisions that decide approaches to security without involving security teams. And we can already see the results of that approach: security incidents in the cloud are rapidly growing.”

His, and Venafi’s solution is to implement a control plane for machine identity. He calls it, “A perfect example of a new security model created specifically for cloud computing. This approach embeds security into developer processes and allows security teams to protect the business without slowing down engineers.” 

Related: Venafi Becomes Unicorn After Investment From Thoma Bravo

Related: Security Pros Believe Cybersecurity Now Aligned With Cyberwar

Related: Mismanagement of Device Identities Could Cost Businesses Billions: Report

Related: Clinton Email Server Vulnerable for 3 Months: Venafi

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.