Cloud security, in theory, should be improving as organizations gain more experience. But a new survey of IT security professionals published by Crowd Research Partners in collaboration with LinkedIn suggests quite the opposite. As more workloads move into the cloud it would appear IT security professionals are just now starting to appreciate just how much different cloud security really is compared to managing security in an on-premises environment.
The survey finds misconfiguration of cloud platforms jumped to the number one spot in this year’s survey as the single biggest threat to cloud security (62%); followed by unauthorized access through misuse of employee credentials and improper access controls (55%), and insecure interfaces / APIs (50%).
Given some recent high-profile breaches where the root cause of the problem has been the configuration that’s not all that surprising. But because of those human errors, the survey notes more cybersecurity professionals are concerned about cybersecurity than ever. Nine out of ten cybersecurity professionals confirm they are concerned about cloud security, an increase of 11 percentage points from last year’s cloud security survey.
The top three security control challenges identified were visibility into infrastructure security (43%), compliance (38%), and setting consistent security policies across cloud and on-premises environments (35%).
The top three cloud security challenges cited by cybersecurity professionals included protecting against data loss and leakage (67%), threats to data privacy (61%), and breaches of confidentiality (53%).
What the survey makes clear is that many cybersecurity professionals are starting to appreciate is that lifting and shifting existing cybersecurity controls and processes into the cloud doesn’t work. Only 16 percent of organizations report that the capabilities of traditional security tools are sufficient to manage security across the cloud, a 6-percentage point drop from our previous survey. A full 84 percent say traditional security solutions either don’t work at all in cloud environments or have only limited functionality. And yet, while half of the respondents said they use their cloud provider’s security tools, only 35 percent said deploy third-party security software to ensure the proper cloud security controls are implemented.'43% of cybersecurity professionals are struggling with visibility into cloud infrastructure security.' ~ @mvizardClick To Tweet
Specifically, the report finds cybersecurity professionals are struggling with visibility into cloud infrastructure security (43%), compliance (38%), and setting consistent security policies across cloud and on-premises environments (35%).
The good news is half of the organizations said they expect cloud security budgets to increase and that encryption of data at rest (64%) and data in motion (54%) tops the list of the most effective cloud security technologies; followed by security information and event management (SIEM) platforms (52%).
However, the biggest challenge cybersecurity professionals may be facing isn’t the technology. The processes used to deploy workloads in the cloud are substantially different than in a traditional on-premises environment. Developers make extensive use of APIs to programmatically provision infrastructure and applications using modern DevOps processes. If cybersecurity professionals want to be relevant to those developers there needs to be a way for developers to programmatically provision cybersecurity controls, a process increasingly known as DevSecOps. That’s not easy for many cybersecurity professionals because it means giving up reliance of traditional graphical and command line interfaces.
Most cybersecurity professionals don’t have much in the way of programming skills, so the challenge becomes finding a way to insert themselves into the front end of the application development process. From there they should be able to provide developers with some much-needed cybersecurity guidance. On the plus side, more developers are starting to appreciate that advice, as long as it’s delivered in a way that allows them to act on it by invoking a simple API versus asking them to learn a GUI they have no desire to learn, much less master.