When not done right, cloud security can become a bit of a mess. Misconfigurations of cloud services are more widespread than ever at a time when cybercriminals have tools that enable them to discover vulnerabilities in a matter of minutes.
A survey of 937 IT professionals published this week by Netwrix, a provider of tools for classifying data, traces the root of the cloud security problem not to the platforms, but unsurprisingly, to a lack of IT staff (52 percent), insufficient budget (47 percent), lack of cloud security expertise (44 percent) and employee negligence (38 percent).
Nearly two-thirds of respondents also report they have removed sensitive data from the cloud or are planning to do so. Nearly half of respondents (48 percent) said the organization’s desire for growth is hindering their data security efforts in the cloud.
Cloud security problems start with DevOps workflows
At the root of the problem has been the rise of DevOps workflows that enable developers to employ open source tools such as Terraform, to provision cloud infrastructure on their own, as part of an effort to accelerate application development. Most of those developers have limited cybersecurity expertise so, inevitably, mistakes are made. A quarter of organizations (25 percent) admitted inconsistent tools and processes, stemming from deploying multiple workloads across different cloud platforms, is a data security challenge.
The issue has historically been less problematic in on-premises IT environments where developers don’t typically provision IT infrastructure themselves. However, as hybrid cloud computing continues to evolve some organizations are now also enabling developers, for better or worse, to directly provision IT infrastructure resources themselves using tools such as Terraform.
The survey finds organizations are now employing data security controls such as encryption (62 percent), auditing of user activity (58 percent) and cloud backups (58 percent) to gain a measure of control over cloud security. However, it is clear the scope of the problem runs deeper. Organizations have been investing in DevSecOps best practices to teach developers how to more securely provision infrastructure and the applications that run on them.
The challenge is that this takes time so now organizations, in the wake of some recent high-profile breaches of software supply chains, are giving cybersecurity teams a specific mandate to fix the problem. The trouble is those cybersecurity teams are already overworked and understaffed. The only real place organizations can find the level of application security expertise required through their friendly neighborhood MSP.
With internal #cybersecurity teams overworked and understaffed, the only place organizations can find the level of #ApplicationSecurity expertise required is their local #MSP.
Of course, rising to that challenge is not a job for the feint of heart. Cloud security requires a level of 24/7 commitment that MSPs need to be willing to make. Murphy’s Law dictates the worst crisis will always occur in the dead of night, especially when many cybercriminals are operating out of countries that are half a world away.
It’s not clear whether a security backlash is building against developers. However, one thing is clear, and that is that organizations are realizing deploying more insecure applications faster, that result in a major security incident, is counterproductive for all concerned.