One of the major challenges created by the pandemic was a rapid shift to cloud-based services to facilitate new remote work models. A recent survey of nearly 2,000 IT professionals indicates that cloud security has been improving as the need for these services grows, but organizations are still hitting some common stumbling blocks: native security controls are often not up to the task, and fielding enough skilled workers with cloud-specific experience tends to be difficult.
Cloud security evolving with usage patterns
The survey was conducted by Cloud Security Alliance, running from December 2020 to January 2021. Respondents consisted of about 1,900 security professionals working at a broad variety of organizations in terms of both size and location.
The study finds that organizations have definitely increased the workload that they have shifted to cloud services, nearly doubling the amount since 2019 (from 25% to 41%). 21% predict that they will move 80% to 100% of their workload to the cloud sometime in 2021.
Cloud environments are inevitably becoming more complex as new services and more users are added; 62% of respondents have moved to multi-cloud setups. That means a need for more security, improved tools and the technicians that have the requisite knowledge to meet new security challenges.
As far as tools go, organizations have a hierarchy of needs. At the top is clear visibility for the entire network estate, including both the cloud platforms and on-premises components. Organizations also highly rate the ability to proactively detect network risks and misconfigurations. Following this are automated change management and the ability to assist with regulatory compliance reports.
Organizations are using a wide variety of cloud platforms, but two — Amazon and Azure — are each used by more than half of respondents. Beyond that there is tremendous variety in cloud adoption. 37% use Google, but beyond that there is no one platform used by more than 11% of respondents.
The respondents report that these platforms are mostly meeting or exceeding their needs in terms of cost, uptime, agility and being DevOps-friendly. Downtime is also relatively limited, with only 12% experiencing it for a day or more (downtime has been no longer than three hours for over half of the respondents). Organizations are also generally happy with security at the service provider end, but have some common struggles at their own end. One appears to be confusion about what department should take point on cloud security; only 35% of organizations said that this was assigned to the security operations team, and there was a broad array of other responses (from a general “cloud team” to managed service providers). 22% have experienced an outage due to a security misconfiguration, and 20% saw downtime due to a denial of service (DDoS) attack.
Cloud security concerns prior to the pandemic
Organizations were asked what their chief security concerns were prior to the pandemic-driven cloud migration, and there was a marked increase in lack of cloud expertise among staff and insufficient staff to manage the cloud environment as compared to the answers given to the same question in 2019. This year’s responses indicate that organizations are mostly looking inward to meet this substantial increase in staff need. 55% said that they are sending existing staff to obtain industry certifications (such as CSA and ISACA), 54% are conducting informal in-house training or having staff undergo self-training, and 53% are receiving customer training from vendors on products. Only 27% have turned to outsourcing to make up the cloud security shortfall.
Network cloud security controls are another area in which organizations are experiencing issues. 74% are using their cloud provider’s native security controls and 71% are using some sort of additional controls from the provider, but 50% of these do not find them adequate and have added some sort of third-party solution to fully meet their needs. The most common is a virtual version of the traditional firewall deployed in the cloud environment. 22% are also making use of host-based enforcement. There is even greater variety in use of tools for security application orchestration, with only 52% making use of cloud native tools. 35% run some sort of home-grown script that leverages cloud vendor APIs, and 22% have manual processes for cloud security management in place.
Statistics concerning cloud-related operational incidents are interesting given the cyber crime wave that has accompanied the pandemic. Numbers are fairly consistent with responses given in 2019 in most areas. 11% of respondents say that they have definitely experienced a cloud security issue in the past year, and 20% are sure that they have not. The big change is in those that are not sure if they have experienced a cloud breach or not; up to 41% in this survey from only 18% in 2019.
Douglas Murray, CEO at Valtix, cites additional supporting information indicating that workloads will continue to be moved to cloud platforms in the near future: “In 2020, spend on public cloud infrastructure exceeded on-prem for the first time. It is clear the cloud has won and is now achieving escape velocity. I don’t see a slowing anywhere on the horizon … The reality is that the public cloud is different than a traditional data center. The number one concern noted in the report was Network Security, so this is front of mind for all companies moving to cloud. The second largest concern noted in the report is how teams lack cloud expertise. The workforce is critical here as the move to the cloud requires a change in operations and indeed a change in culture.”