Venafi, a company that makes artificial ID solutions, recently conducted a study to learn more about the effects of cloud complexities on cybersecurity.
According to a poll conducted by Venafi among 1,101 security decision-makers (SDMs) at enterprises with over 1,000 workers, 81% of businesses had encountered a cloud security issue over the past 12 months. Nearly half (45%) have had four or more security breaches during the same time frame. Concerns about data loss and unauthorized access are more significant in the cloud, according to more than half of IT security professionals.
Some 24% of the businesses have above 10,000 workers. Almost all SDMs are middle or upper-level managers, with 49% holding c-suite or equivalent titles.
Most businesses surveyed attribute the problem to the growing complexity of their cloud infrastructure. The situation will only worsen in the future. These businesses already host 41% of their apps in the cloud. And they want to grow this to 57% over 18 months.
“The juiciest target of exploitation in the cloud is identity management, specifically computer identities,” says Kevin Bocek, vice president of security policy and threat detection at Venafi. These different cloud container types, Kubernetes clusters, services, and microservices require an authorized machine identity. These include a TLS certificate to connect securely with one another. Security and operational hazards are greatly amplified if any one of these identities is stolen, improperly configured, or lost.
Security issues occurring during runtime (34 percent), incorrect setups (32 percent), unpatched vulnerabilities (24 percent), unauthorized access (33 percent), and unsuccessful audits (19 percent) were cited as the most common types of cloud mishaps by respondents.
Their top operational worries are service, traffic hijacking (35%), account, ransomware/ malware (31%), data access/ privacy issues (e.g., GDPR) (31%), nation-state threats (26%), and unauthorized access (28%).
The real issue is the tense interaction between development and security teams. Developers must work quickly, but security teams rarely get to see what they are up to. In cloud-native systems, containers are the virtual machine for sharing resources across many data centers.
In a related blog post, Venafi notes that “container security is formulated around what development teams and operations teams consider as best practice,” which may not always coincide with traditional company security policy.
The survey also investigated who is now accountable for the safety of cloud-based software. For 25% of businesses, it is the secret service. Developers who create cloud apps (16%), a collaborative effort involving many teams (22%), operations teams in charge of the cloud’s infrastructure (23%), and DevSecOps teams (10%) round out the bottom five.
Despite this, the sheer volume of ongoing security problems implies that none of these methods is acceptable. Venafi also inquired who should be accountable for the safety of cloud-based applications, and the responses showed no consensus. Twenty-four percent of respondents think responsibility should be shared between cloud infrastructure operations and enterprise security teams. Still, another twenty-two percent think responsibility should be shared across multiple teams. Sixteen percent believe it should be taken to the developers writing the cloud applications, while fourteen percent claim it should be the responsibility of the DevSecOps teams.
Due to competing priorities and goals, dividing tasks between multiple groups is often inefficient. Bocek argues that “security teams want to collaborate and share responsibility with the developers who are cloud experts” but that they are typically excluded from such decisions. “
Developers are making decisions about cloud-native tooling and architecture that dictate approaches to security without involving security professionals. We are already witnessing the effects of this strategy, with the number of security problems occurring in the cloud rising.
Together with Venafi, he came up with the idea of establishing a control plane for the uniqueness of machines. In his words, he is a “great example” of a new security model developed for the cloud. This method incorporates security into development workflows, enabling security teams to safeguard businesses without hampering engineering productivity.