CloudPassage has announced the results of research indicating that lack of visibility into cloud deployments and associated provider security practices and controls is a source of major dissatisfaction amongst IT professionals. The “Orchestrating Security in the Cloud” report is based on a survey sponsored by CloudPassage and administered by the nonprofit SANS Institute, which involved 485 IT professionals.
“Overall, lack of visibility into cloud provider operations and controls stands as the largest issue respondents experienced with their providers,” noted report author and SANS analyst Dave Shackleford. Lack of visibility and control plays a major role in other pain points cited in the survey results, including deficient incident response support (with lack of visibility cited), selected by 48% of respondents; lack of virtual machine and workload visibility, selected by 46%; and provider-introduced vulnerabilities resulting in a breach or incident, experienced by 26%.
Shackleford reported that many respondents are struggling not only with cloud providers, but also with internal teams in their efforts to detect and respond to cloud-based security incidents effectively: “Although most organizations have not experienced a breach in the cloud, security teams are concerned about illicit account and data access, maintaining compliance and integrating with on-premise security controls. In addition, visibility into cloud environments remains a challenge as does implementing cloud-focused incident response and pen testing processes.”
“The results this SANS Institute research reinforce what high-level security execs told us recently during a key cloud adoption driver survey with CSO Magazine,“ said Mitch Bishop, CloudPassage CMO. “When it comes to elastic infrastructure, everyone in the organization wants to increase speed while still being able to maintain security. Visibility, enforcement and compliance that is on-demand, deploys in minutes, fully automates a majority of security controls, and works anywhere – data centers, private clouds and public clouds – is becoming essential.”
Hybrid cloud architectures are the new normal
The “Orchestrating Security in the Cloud” survey also found that hybrid cloud architectures are now the most favored, with 40% currently using them and 43% planning to move in that direction in the next 12 months. Private cloud implementations are the second most used at 38%, while only 12% of respondents indicated their organizations use public cloud implementations. Other key findings include:
- 40% of those surveyed report storing or processing sensitive data in the cloud
- 40% cite unauthorized access to sensitive data from other tenants as the most pressing concern with public cloud deployments
- 33% state that they do not currently have enough visibility into their public cloud providers’ operations
- 33% of those organizations that experienced breaches in the cloud cite malware as the top private-cloud attack vector, while 36% choose Denial-of-Service (DoS) as the top attack vector in the public cloud.
The survey allowed for some write-in reporting from respondents, which included motivators for cloud deployments (cost savings, availability and ease of use were highly indicated). “These results indicate that the public/private cloud hybrid model, driven by the demands of business, is here to stay,” Shackleford noted. The survey also found that speed is a driving factor in cloud usage, with 61% saying their motivation for cloud adoption was faster time to deployment. In addition, 54% of respondents are using cloud services because they can’t scale their own solutions, and 48% say they need a central way of managing compliance.
“With so many different environments and applications—and with data processing in clouds—respondents’ top concern is maintaining compliance,” Shackleford writes in his report. “In fact, when averaged across all models (hybrid, public and private), 72% [of respondents] are most concerned with meeting compliance.”
The survey respondents came from a mix of small and larger organizations, with 38% having 1,000 or fewer employees, 24% over 15,000 employees and the remainder having between 1,000 and 10,000 employees. IT security operations (administrators and analysts) were most highly represented in the pool of participants, with network operations, systems administration and IT management also well accounted for.