Organizations Must Realign to Face New Cloud Realities

Technology advancements often present benefits to humanity while simultaneously opening up new fronts in the on-going and increasingly complex cyber security battle. We are now at that critical juncture when it comes to the cloud: While the compute model has inherent security advantages when properly deployed, the reality is that any fast-growth platform is bound to see a proportionate increase in incidents and exposure.

The Cloud Security Alliance (CSA) is a global not-for-profit organization that was launched 10 years ago as a broad coalition to create a trusted cloud ecosystem. A decade later, cloud adoption is pervasive to the point of becoming the default IT system worldwide. As the ecosystem has evolved, so have the complexity and scale of cyber security attacks. That shift challenges the status quo, mounting pressure on organizations to understand essential technology trends, the changing threat landscape and our shared responsibility to rapidly address the resultant issues.

There are real concerns that organizations have not adequately realigned for the cloud compute age and in some cases, are failing to reinvent their cyber defense strategies. Symantec’s inaugural Cloud Security Threat Report (CSTR) is a landmark report that shines a light on the current challenges and provides a useful roadmap that can help organizations improve and mature their cloud security strategy. The report articulates the most pressing cloud security issues of today, clarifies the areas that should be prioritized to improve an enterprise security posture, and offers a reality check on the state of cloud deployment.

Cloud in the Fast Lane

What the CSTR reveals and the CSA can confirm is that cloud adoption is moving too fast for enterprises, which are struggling with increasing complexity and loss of control. According to the Symantec CSTR, over half (54%) of respondents agree that their organization’s cloud security maturity is not keeping pace with the rapid expansion of new cloud apps.

The report also revealed that enterprises underestimate the scale and complexity of cloud threats. For example, the CSTR found that most commonly investigated incidents included garden variety data breaches, DDOS attacks and cloud malware injections. However, Symantec internal data shows that unauthorized access accounts for the bulk of cloud security incidents (64%), covering both simple exploits as well as sophisticated threats such as lateral movement and cross-cloud attacks. Companies are beginning to recognize their vulnerabilities--nearly two thirds (65%) of CSTR respondents believe the increasing complexity of their organization’s cloud infrastructure is opening them up to entirely new and dangerous threat vectors.

For example, identity-related attacks have escalated in the cloud, making proper identity and access management the fundamental backbone of security across domains in a highly virtualized technology stack. The speed with which cloud can be “spun up” and the often-decentralized manner in which it is deployed magnifies human errors and creates vulnerabilities that attackers can exploit. A lack of visibility into detailed cloud usage hampers optimal policies and controls.

As CSA delved into this report, we found strong alignment with the best practices research and education we advocate. As the CSTR reveals, a Zero Trust strategy, building out a software-defined perimeter, and adopting serverless and containerization technologies are critical building blocks for a mature cloud security posture.

The CSTR also advises organizations to develop robust governance strategies supported by a Cloud Center of Excellence (CCoE) to rally stakeholder buy-in and get everyone working from the same enterprise roadmap. Establishing security as a continuous process rather than front-loading efforts at the onset of procurement and deployment is a necessity given the frenetic pace of change.

As the CSTR suggests and we can confirm, security architectures must also be designed with an eye towards scalability, and automation and cloud-native approaches like DevSecOps are essential for minimizing errors, optimizing limited man power and facilitating new controls.

While there is a clear strategy for securing cloud operations, too few companies have embarked on the changes. Symantec internal data reports that 85% are not using best security practices as outlined by the Center for Internet Security (CIS). As a result, nearly three-quarters of respondents to the CSTR said they experienced a security incident in cloud-based infrastructure due to this immaturity.

The good news is that the users of cloud have a full portfolio of solutions, including multi-factor authentication, data loss prevention, encryption and identity and authentication tools, at their disposal to address cloud security threats along with new processes and an educated workforce. The bad news is that many users of cloud are not aware of the full magnitude of their cloud adoption, the demarcation of the shared responsibility model and the inclination to rely on outdated security best practices. The CSTR is a pivotal first step in increasing that awareness.

Cloud is and will continue to be the epicenter of IT, and increasingly the foundation for cyber security. Understanding how threat vectors are shifting in cloud is fundamental to overhauling and modernizing an enterprise security program and strategy. CSA recommends the Symantec CSTR report be read widely and we look forward to future updates to its findings.