Traditional security concerns about the cloud—denial of service, shared technology vulnerabilities, and cloud service provider data loss and system vulnerabilities—appear to be waning in importance among security practitioners. Now, concerns about issues higher up in the security stack that are influenced by senior management decisions are taking their place.
That’s what the Cloud Security Alliance revealed in its annual Top Threats to Cloud Computing report for 2019. Based on a survey of 241 industry experts on security issues in the cloud industry, the report rates the top risks and vulnerabilities facing cloud environments and highlights 11 that were top-of-mind for the security experts surveyed.
It found that traditional concerns that ranked in the top tier as recently as last year were ranked so low that they didn’t even merit mentioning in this year’s report.
New, highly rated items in the “Egregious Eleven” are more nuanced and suggest a maturation of consumers’ understanding of the cloud, the report said. These issues are specific to the cloud and indicate a technology landscape where consumers are actively considering cloud migration.
The new focus: potential control plane weaknesses, metastructure and applistructure failures, and limited cloud service visibility. That’s why you need to shift your game up the stack.
It’s hard to beat a cloud service provider
Jon-Michael Brook, co-chair of the Cloud Security Alliance working group that put the report together, said that the latest “Egregious Eleven” shows a decrease in concern over issues associated with cloud service providers (CSPs)—and an increase in worry over shared responsibilities for the stack.
For many organizations, the processes and procedures that providers such as AWS or Azure follow and their operational product offerings are impossible to duplicate in-house. “The government hired Microsoft and Amazon for community cloud implementations because they are that effective,” he said.
By 2020, he added, Gartner estimates that for anyone using an established infrastructure-as-a-service provider, more than 95% of breaches and other problems will be due to consumer errors instead of problems with the CSP.
“Sure, everyone was afraid in the early days, but the cloud providers have pretty well demonstrated their abilities to exceed security controls most on-premises alternatives provide,” said Jay Bretzmann, research director for cybersecurity products at IDC.
Michelle McLean, vice president of product and corporate marketing at StackRox, a maker of a security platform for containers and Kubernetes, explained that as adoption has grown over the years, CSPs have had more time to build additional security services.
Don’t assume too much
With more adoption has come deeper customer understanding that cloud providers have far more resources to invest in securing their infrastructure, McLean said. “However, this thinking can sometimes lead customers to assume they no longer have any responsibility for security, so complacency and assuming the cloud providers have it all covered can be a risk.”
Greater concern about problems higher in the cloud security stack is also a sign that consumers need to rethink their cloud strategy. “In the past, too many people were attempting to accomplish cloud security with a ‘lift-and-shift’ mode,” said Brian Bernstein, a systems engineer at Lacework, a cloud security solutions provider.
“A real shifting of mindset must happen to address the much more critical threats to a cloud platform,” he said.
IDC’s Bretzmann added: “Simple lifting-and-shifting and replicating your existing controls within the cloud might also mean that you’re missing out on advantages like managed services, where the provider maintains all of the underlying infrastructure security.”
Strategy affects security
Businesses are beginning to recognize the significant impact that management decisions about cloud strategy and implementation can have on cloud security.
“Cloud-native design patterns leverage features simply not available in a traditional IT setting,” the CSA’s Brook said. “A lack of strategy can contribute to the organization’s technical debt and opens security issues for things that just don’t translate.”
Products rolled out to the cloud inappropriately will increase the overall operating budget, he said. “The cloud only decreases costs when it’s rolled out appropriately.”
He noted that companies can adopt a cloud strategy without fully understanding the risks. For example, a move to the cloud might jeopardize standards compliance. An organization may think its CSP is responsible for compliance training when it’s not. Training then becomes a strategy decision for the business.
“If you administer or manage by tick-box—that is, you see a logo which says, ‘We are compliant with X’ and then don’t investigate further—you are setting yourself up for failure,” said Trevor Pott, Product Marketing Director at Juniper Networks, a network security and performance company. – Read more