Ask any CIO today what their top priorities are and digital transformation is likely to come pretty high up. In fact, new research from Daisy Group reveals that 63% of UK firms now have a such a strategy, up from just 27% last year. Unsurprisingly, cloud computing is driving these efforts in many (46%) firms. There’s just one problem: it’s also creating huge security blind spots and gaps which attackers are more than capable of exploiting.
To combat these challenges, organisations need to look to a mix of cloud-ready security tools, which increasingly need to slot into DevOps, alongside people and process changes.
It’s hard to see through clouds
Digital transformation is helping organisations become more productive internally and innovate quicker to get closer to their customers. Cloud-based apps and microservices such as containers are key tools here, enabling faster development and therefore greater business agility to respond to fast-changing market demands.
Yet crucially, many organisations lack visibility into their own cloud environments. New BMC research(pdf) claims that 40% of IT leaders globally and 53% in the UK don’t even know how much their business is spending on cloud services. Shadow IT is a major problem here: although the cloud has democratised deployment and use of apps and services, it also makes it easier for business users to bypass IT completely.
Netskope reckons organisations use around 1,000 cloud apps each on average, yet claims as many as 92% aren’t “enterprise ready” — meaning they may lack resilience to cyber threats.
This lack of visibility is especially concerning when the volume of vulnerabilities is increasing all the time. They numbered over 16,000 in the first nine months of this year, an increase of 38% on the same period last year, according to Risk Based Security.
Threats on the rise
The threat is far from theoretical. Barracuda Networks research from earlier in the year revealed that the amount of IT infrastructure EMEA organisations are putting in the cloud will rise from 35% currently to 63% in the next five years. However, 60% of respondents claimed to have already been hit by a cyber attack, while a quarter (26%) expected one to land in the future.
Visibility and control are vital to ensure IT leaders can manage cybersecurity risk effectively in the cloud. Unfortunately, recent events have shown they are still sorely lacking. It’s obvious in the steady stream of big-name organisations that have left cloud databases filled with highly sensitive info exposed to the public-facing internet. Time Warner (4m customers), Verizon (6m), WWE (3m) and many more have left data on customers wide open after misconfiguring Amazon S3 buckets. Most had to be told by security researchers of the problem rather than proactively spotting it. Many blamed outside contractors for the privacy leak.
Last week, another company, US ride-hailing service Fasten, was found to have exposed one million customer details in the same way.
These leaks may embarrass organisations, but by-and-large none of the data makes its way into the hands of cybercriminals. That can’t be said of increasingly targeted attacks designed to compromise cloud apps early on in the supply chain. The problem with the new DevOps-led approach to developing cloud apps is that time-to-market is everything; often at the expense of security. The bad guys know this.'...time-to-market is everything; often at the expense of security'Click To Tweet
This year, researchers revealed(pdf) how Docker containers make a great place to hide malware infections. In fact, the Dirty Cow Linux vulnerability was found last year to affect containers. More recently still, malware was found in the official repository for the popular Python programming language, making its way into multiple software packages as a result. So-called “supply chain attacks” like this work well when developers fail to include security early on in the application lifecycle.
A more secure future
There’s no easy way of mitigating these threats, precisely because there’s no single point of failure. However, a great start would be evolving DevOps to DevSecOps by building security into the application lifecycle. This means making use of web application firewalls and similar that offer API support to teams so they can align security with their cloud deployments. Barracuda Networks is doing just this with its new Cloud Generation Firewall announcement.
That only covers one part of the puzzle, however. To prevent IT teams missing key database misconfigurations, organisations must focus first on their processes — including any work with third party contractors who often represent a key point of weakness. Most difficult to achieve, however, will be the creation of an organisation-wide cybersecurity culture. This vital but challenging step requires staff to understand the dangers of shadow IT and IT teams to meet them halfway by saying “yes” more often to productivity-enhancing cloud initiatives.
It’s a long road, but those organisations that succeed in securing the cloud effectively will soon accelerate away from their rivals.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.