Companies are prioritising speed over security as the “cloud security readiness gap” widens, with teams developing cloud-based applications — and under pressure to bring them to market fast — seeing collaboration with security teams as an obstacle to go-to-market priorities.
That’s according to a new survey by Oracle and KPMG, which revealed that 92 percent of respondents think their organisations have a “cloud security readiness gap” — with current cloud usage, their planned cloud usage and cloud security programme maturity misaligned.
The joint cloud and threat security report also reveals that there has been a landmark shift in attitudes to cloud security, with most now confident in the public cloud and growing numbers looking to run business-critical applications in the cloud in coming months.
The data came via an online survey of 750 cybersecurity and IT professionals working for companies from America, Europe and Asia.
It notes that “cloud services and applications are often consumed by a business unit outside of the purview of the centralised IT and cybersecurity teams. Then, as lines of business realise rapid time to value, use expands.
“Collaboration with the cybersecurity team is perceived as threatening to throttle speed”, the report’s authors note.
With a major cultural shift needed as businesses new to the cloud move from a moat-and-castle perimeter-based approach to security, to the more amorphous nature of today’s hybrid or multicloud environments, blind spots are being created for organisations, Oracle and KPMG add.
As Qualys’ Marco Rottigni tells Computer Business Review: “Developers should be empowered with plug-ins that trigger security and compliance controls at every step of the DevOps process, exposing the results right within the tools they commonly use to enable rapid remediation of the vulnerable code.
“While the Security team keeps an eye on the health of the development process, they will instantly, constantly and continuously keep observability on all the resources instantiated in the cloud.
He adds: “This [can be] achieved using specialized sensors in the form of API-based connectors to cloud environments to assess the CIS benchmarks, software agents that form part of all base machine images that are used to create VMs, or container sensors deployed in the cloud right alongside others. The approach augments visibility, increases the accuracy of detecting misconfigurations, and can carry out vulnerability detection.
“Using this data, you can see the fastest step to respond with a prompt remediating action to fix any problem.”
Specialised Cloud Security Tools Can be Damaging to Overall Security
Yet some 70 percent of Oracle and KPMG’s participants say that they have too many specialised cloud security tools, with a massive reported average of 100 tools per business throughout the research pool.
As these numbers fast approach the ridiculous (particularly given the role of misconfigurations in security breaches), attitudes are beginning to change: 80 percent of organisations are now considering buying most of their cybersecurity tools from one single vendor, in a bid to simplify processes, the report finds.
SVP Engineering at SecurityScorecard Christos Kalantzis noted: “Cloud and Infrastructure as a Service in particular has made developing and deploying new apps much more accessible. However, with this new accessibility, new attack surfaces have emerged.
Visibility Blind spots thought a Problem by 73% of Businesses
One of the main issues bought up by cybersecurity professionals is visibility. Using the cloud for a company’s data storage has created configuration management challenges that leave the company with a blind spots that contribute to a widening attack surface.
Twenty-eight percent of security professionals who responded to the report maintained that “identifying workload configurations that are out of compliance, including those that do not adhere to the industry standard benchmarks” is the area that needs the most improvement.
Kalantzis summed up the security problem neatly, by honing in on the root of the problem; education: “When Cloud vendors provide a curriculum to consume their services, security is often a small part of that curriculum, or in some cases an after-thought.
“I’d like to see Cloud vendors focus more of their attention to security education for their current products, and slow down their features arms race”.
With 67 percent of respondents to Oracle and KPMG saying they find the shared responsibility approach to securing SaaS applications confusing, and only eight percent saying they understand it fully for all types of cloud services, there is huge room for improvement.
How does your business bake visibility and security into its cloud-based applications? Get in touch on claudia dot glover at cbronline dot com.