Headlines continue to suggest that organizations’ cloud environments make for tantalizing targets for digital attackers. Illustrating this point, the 2019 SANS State of Cloud Security survey found “a significant increase in unauthorized access by outsiders into cloud environments or to cloud assets” between 2017 (12 percent) and 2018 (19 percent).
These findings beg the question: how prepared are organizations to defend themselves against cloud-based threats?
To find out, Tripwire took a survey of 150 attendees at Black Hat USA 2019. This research effort provided crucial insight into how industry pros view cloud security today. It also drew attention to certain steps which organizations can take to better defend themselves in the cloud.
Cloud Misconfigurations Abound
Misconfiguration has remained the center of attention in reported data leaks and cyber incidents related to cloud. In Tripwire’s survey, 84 percent said that it was difficult for their organizations to maintain security configurations across cloud services. Of those, 17 percent said it was “very difficult.”
That could explain why 75 percent of survey respondents said it was easy to accidentally expose data publicly through the cloud.
Effective cloud security seems to elude organizations for a number of other factors. For example, many security professionals still lack a clear understanding of what security the cloud service provider provides versus what security measures the consumer is responsible for. Only about a quarter (27 percent) of survey participants said the Shared Responsibility Model for security between cloud service providers and their customers were “very clear.” Even more than that said the model was “not clear” (28 percent), while most (45 percent) said the model was only “somewhat clear.”
A Growing Level of Complexity
Also contributing to the difficulty of cloud security, teams are faced with a much more complex environment to defend in general, with many forced to manage a complex hybrid environment of both on-premise and multiple private and public cloud environments. More than three-fourths (77 percent) of professionals said that their organization had more than 10 percent of their workloads in the cloud, but only 13 percent said that more than three-quarters of their organization’s data/workload resided the cloud. About (49 percent) have more than 50 percent of their organization’s data/workload in the cloud.
Additionally, cloud is not just about the storage elements like S3 buckets and Azure blobs. In our survey, SaaS was the most adopted cloud service (70%) vs. IaaS and PaaS. It’s also estimated that the average enterprise subscribes to approximately 16 software-as-a-service (SaaS) solutions. These type of solutions, like Salesforce.com, often hold sensitive customer data and should also be protected. Given increased privacy regulations like GDPR and the California Consumer Privacy Act, organizations should be especially careful about protecting the data held in these applications.
Tim Erlin, vice president of product management and strategy at Tripwire, notes how this growing complexity means that organizations need to take their hybrid cloud security strategies seriously:
While cloud providers may take responsibility for securing their infrastructure, moving to the cloud doesn’t absolve you from the responsibility of protecting your own data. The cloud doesn’t magically protect the data and systems that you put in there. There’s a new incident reported every few weeks that stresses the need to extend basic security controls to cloud environments. Organizations need to ensure they’re implementing critical security controls regardless of where the systems reside.
The survey showed significant opportunity for organizations to apply security fundamentals to their cloud environments. Only 54 percent of security professionals said they had configuration management in place for the cloud, and just 49 percent had file integrity monitoring (FIM) capabilities enabled for the cloud – which could alert to inadvertent exposure of cloud data to the public.
How Organizations Can Defend Themselves
This position is untenable in the long term. While the cloud does provide benefits like flexibility, scalability and cost savings, there’s no mistaking that fundamental security practices are still important not only in cloud deployments but also across all environments. As digital infrastructure continues to grow, it remains important to keep track of the attack surface, minimize it with secure configuration and vulnerability management, and monitoring it for changes.
To learn more how Tripwire helps address these issues in the cloud and beyond, click here.