Share this article on:
Venafi has announced the findings of new research that evaluates the complexity of cloud environments and its impact on cyber security.
The study found that 75 per cent of organisations have experienced a cloud-related security incident over the last 12 months, with more than one in three (37 per cent) suffering at least four incidents.
The underlying issue for these security incidents is the dramatic increase in security and operational complexity connected with cloud deployments.
According to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, attackers are now on board with business' shift to cloud computing.
Since the organisations in this study currently host two-fifths (39 per cent) of their applications in the cloud but expect an increase to 57 per cent over the next 18 months, this complexity will continue to increase.
Half of the security decision-makers (SDMs) in the study believe security risks are higher in the cloud than on premises, citing several issues that contribute to those risks. The most common cloud-related security incidents respondents have experienced are:
The key operational and security concerns that SDMs have in relation to moving to the cloud are:
The study also investigated how responsibility for securing cloud-based applications is currently assigned across internal teams. This varies widely across organisations, with operations teams responsible for cloud infrastructure (30 per cent), the most likely to manage app security in the cloud. This is followed by enterprise security teams (21 per cent), a collaborative effort shared between multiple teams (22 per cent), developers writing cloud applications (20 per cent) and DevSecOps teams (4 per cent). However, the number of security incidents indicates that none of these models are effective at reducing security incidents.
Security teams want to collaborate and share responsibility with the developers who are cloud experts, Bocek added, but all too often, they're left out of cloud security decisions.
"Developers are making cloud-native tooling and architecture decisions that decide approaches to security without involving security teams.
"And now we can see the results of that approach: security incidents in the cloud are rapidly growing.
"We need to reset the approach to cloud security and create consistent, observable, controllable security services across clouds and applications," Bocek said.
When asked who should be responsible for security cloud-based applications, again, there was no clear consensus. The most popular option is to share responsibility between cloud infrastructure operations teams and enterprise security teams (24 per cent). The next most popular options are to share responsibility across multiple teams (23 per cent); to leave responsibility with developers writing cloud applications (13 per cent) and DevSecOps teams (19 per cent).
The challenges connected with shared responsibility models is that security teams and development teams have very different goals and objectives.
Developers need to move fast to accelerate innovation while security teams often do not have visibility into what development teams are doing. Without this visibility, security teams cannot evaluate how those controls stack up against security and governance policies.
Bocek added that architecting in a control plane for machine identity is a perfect example a new security model created specifically for cloud computing.
"This approach embeds security into developer processes and allows security teams to protect the business without slowing down engineers," Bocek said.
[Related: Maurice Blackburn investigates action against Optus]