Venafi
announced the findings of new research that evaluates the complexity of
cloud environments and its impact on cybersecurity. The study found
that 81% of organizations experienced a cloud-related security incident
over the last 12 months, with almost half (45%) suffering at least four
incidents during the same time frame. The underlying issue for these
security incidents is the dramatic increase in security and operational
complexity connected with cloud deployments. And, since the
organizations in this study currently host two fifths (41%) of their
applications in the cloud but expect increase to 57% over the next 18
months, this complexity will continue to increase.
More
than half (51%) of the security decision makers (SDMs) in the study
believe security risks are higher in the cloud than on premises, citing
several issues that contribute to those risks. The most common
cloud-related security incidents respondents have experienced are:
- Security incidents during runtime (34%)
- Unauthorized access (33%)
- Misconfigurations (32%)
- Major vulnerabilities that have not been remediated (24%)
- A failed audit (19%)
The key operational and security concerns that SDMs have in relation to moving to the cloud are:
- Hijacking of accounts, services or traffic (35%)
- Malware or ransomware (31%)
- Privacy/data access issues, such as those from GDPR (31%)
- Unauthorized access (28%)
- Nation state attacks (26%)
"Attackers
are now on board with business' shift to cloud computing," says Kevin
Bocek, vice president of security strategy and threat intelligence at
Venafi. "The ripest target of attack in the cloud is identity
management, especially machine identities. Each of these cloud services,
containers, Kubernetes clusters and microservices needs an
authenticated machine identity - such as a TLS certificate - to
communicate securely. If any of these identities is compromised or
misconfigured, it dramatically increases security and operational
risks."
The
study also investigated how responsibility for securing cloud-based
applications is currently assigned across internal teams. This varies
widely across organizations, with enterprise security teams (25%) the
most likely to manage app security in the cloud, followed by operations
teams responsible for cloud infrastructure (23%), a collaborative effort
shared between multiple teams (22%), developers writing cloud
applications (16%) and DevSecOps teams (10%). However, the number of
security incidents indicates that none of these models are effective at
reducing security incidents.
When asked who should be
responsible for security cloud-based applications, again, there was no
clear consensus. The most popular option shares responsibility between
cloud infrastructure operations teams and enterprise security teams
(24%). The next most popular options are share responsibility across
multiple teams (22%), leaves responsibility with developers writing
cloud applications (16%) and DevSecOps teams (14%).
The
challenges connected with shared responsibility models is that security
teams and development teams have very different goals and objectives.
Developers need to move fast to accelerate innovation while security
teams often do not have visibility into what development teams are
doing. Without this visibility, security teams cannot evaluate how those
controls stack up against security and governance policies.
"Security
teams want to collaborate and share responsibility with the developers
who are cloud experts, but all too often they're left out of cloud
security decisions," continued Bocek. "Developers are making
cloud-native tooling and architecture decisions that decide approaches
to security without involving security teams. And now we can see the
results of that approach: security incidents in the cloud are rapidly
growing. We need to reset the approach to cloud security and create
consistent, observable, controllable security services across clouds and
applications. Architecting in a control plane for machine identities is
a perfect example a new security model created specifically for cloud
computing. This approach embeds security into developer processes and
allows security teams to protect the business without slowing down
engineers."