There’s a lot more interest in automating cloud security but a survey of 960 IT and security professionals conducted by the Cloud Security Alliance (CSA) finds the two main objectives organizations are trying to achieve to be protecting customer data (43%) and automating cloud and web threat prevention (41%).
However, 64% of respondents report that when it comes to governance, their organization still relies on manual scripts (37%), simple automation (20%) or has no automation at all (7%).
In general, more automation is being employed by organizations large and small to make up for the chronic shortage of cybersecurity professionals. The issue has become especially acute as more workloads are shifted to the cloud. Securing the cloud is fundamentally different from securing on-premises IT environments and the number of cybersecurity professionals that have cloud expertise is consequently even more limited.
The survey finds half of the organizations surveyed have cloud and web security teams made up of three to nine people. Another 31% have 10 or more people. However, only 44% said they have a dedicated cloud security team.
The biggest concern is the infrastructure-as-a-service (IaaS) environments that organizations employ to run workloads, with close to half of respondents (45%) having been impacted by a breach. That compares to 40% having a breach impacting third-party applications, followed by private/internal applications at 34% and software-as-a-service (SaaS) and Web applications at 32%. The top challenges with cloud governance for organizations are IaaS/PaaS misconfigurations and vulnerabilities (32%).
Only 24% of respondents described their cloud security efforts as being highly effective, with another 48% rating their efforts as being moderately effective. Areas of current investment are in security awareness training (49%), endpoint security (47%), identity management solutions (43%), and privileged access management (38%).
The challenge with cloud security is there is no one cloud to protect. Application workloads are distributed across a range of types of services that each has its own unique security requirements that need to be mastered. More challenging still, cloud platforms need to be secured alongside legacy platforms. Nearly half of survey respondents 47% identified managing legacy and on-premises security infrastructure as still being their biggest challenge.
More than 80% of organizations are also moderately to highly concerned about suppliers and partners. In fact, 58% of respondents noted that third parties and suppliers he already been targets of attacks.
Overall, the types of cloud applications that organizations are most concerned about are email (36%), authentication (37%), storage/file sharing (35%), customer relationship management (33%), and enterprise business intelligence (30%) application, the survey finds.
It’s not clear to what degree cloud security represents an actual crisis but in the absence of any advances in the adoption of automation, there is no doubt there soon will be one. In effect, cybersecurity teams are in a race against time as cybercriminals become more adept at targeting an ever-increasing array of cloud services. The catch-22 issue, of course, is automating cloud security requires expertise to set up which far too many organizations still clearly lack.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.