The state of cloud security

By BizClik Admin
Share
Lack of knowledge and expertise continue to plague security teams. Cyber Magazine looks at VMWare and CSA’s latest report on the state of cloud security.

The worldwide public cloud services market grew 24.1% year-on-year in 2020. With companies relying heavily on public clouds as the driver for digital transformation, the security of their cloud applications, data, and underlying infrastructure remains a top priority for Chief Information Security Officers (CISOs).

Cloud misconfigurations, however, are consistently a top concern for organisations utilising the public cloud. Such errors lead to data breaches, allow the deletion or modification of resources, cause service interruptions, and otherwise wreak havoc on business operations. In a recent survey carried out by the Cloud Security Alliance (CSA) and commissioned by cybersecurity company VMWare one of the key findings was that lack of knowledge and expertise continue to plague security teams. CSA surveyed 1,090 IT and security professionals globally in its ‘State of Cloud Security Risk, Compliance, and Misconfigurations’ report. The lack of knowledge and expertise was repeatedly identified as the primary barrier to general cloud security (59%) the primary cause of misconfigurations (62%) a barrier to proactively preventing or fixing misconfigurations (59%), the primary barrier to implementing auto remediation (56%). 

The findings highlight the trickle-down effect that lack of knowledge can have on security teams. It starts as a general barrier to implementing effective cloud security measures. This leads to misconfigurations, the primary cause of data breaches. But it’s also preventing security teams from implementing a solution, such as auto remediation, which could supplement this knowledge and skills deficit.

Nikhil Girdhar, Product Marketing Leader of Cloud Security Solutions at VMWare says: “Scarcity of experienced cloud security professionals is no hidden secret in the industry. Often, in many companies, a single security professional is seen supporting hundreds of developers using public clouds. Additionally, with the onus of training the broader company on cloud security best practices often falling on central teams, shortage of cloud IT security experts can have an adverse cascading effect on a company’s cloud security posture.”

IT skills gap 

Irish mobile and cloud security company CWSI plans to create 25 new jobs in Ireland and the UK within its service delivery and technical consulting teams. The new roles will include security consultants, delivery and service desk engineers, project and service assurance managers, at a time when there needs to be more experienced cloud security professionals. The Dublin-headquartered company will also  launch a new apprenticeship programme in 2022 in the UK to encourage young people into careers in IT and security. Some of the company’s new hires will be apprentices, who will receive on-the-job training in addition to classroom tutorials. Ronan Murphy, CEO of CWSI, says: “We’ve seen how the IT skills gap has negatively impacted the industry and plan to play our part in encouraging young people to build a career in IT and security in particular.”

According to VMWare, companies facing a shortage of such skills must look at specialised Cloud Security Posture Management (CSPM) solutions to augment and help their understaffed security teams scale cloud knowledge and best practices across the wider organization. With most CSPM solutions enabling standard cloud best practices and compliance frameworks out-of-the box, security teams can quickly help automate identification, reporting, and alerting of cloud misconfiguration risks to developer teams.

According to Gartner, 70% of all enterprise workloads will be deployed in cloud infrastructure and platform services by 2023, up from 40% in 2020. Under this paradigm shift, agent-based solutions are ill-suited to meet the increased complexity and ephemeral nature of the cloud. Exhausted, enterprise security teams are turning to new platforms.

Cloud native platforms

Addressing this issue is Israeli security company Orca Security.  Its Cloud-Native Application Protection Platform (CNAPP) aims to simplify the detection and prioritisation of security issues in minutes, not months. The platform has secured a $550 million extension to the Series C funding round it raised earlier this year. Led by Temasek, an investment company headquartered in Singapore, the round has boosted Orca’s valuation 50 percent in just seven months to $1.8 Billion.

The additional funding will permit Orca to expand its footprint and customer base in the UK and across the EMEA region. The company recently launched versions of its website in German and French to better support its partners, prospects, and customers. In addition, the company is opening a physical office in London, where it will have an expanded sales presence, and a new R&D centre, its first outside of Tel Aviv. Orca Security plans to have over two dozen employees working in London by the end of the year.

Avi Shua, CEO and co-founder, Orca Security says: “Customers are fed up with agent-based tools that claim run-time protection but de facto are little more than a gimmick, typically reach only a fraction of the environment, and don’t provide the context security teams desperately need to prioritise critical alerts.” Orca Security’s patent-pending SideScanning technology collects data directly from cloud provider APIs and the workload’s runtime block storage out-of-band. This means that after a quick and easy one-time deployment, Orca Security surfaces critical attack vectors, composed of the most serious risks such as vulnerabilities, malware, misconfigurations, weak and leaked passwords, lateral movement risk and misplaced PII.

It’s clear to see misconfigurations are a top concern for many organisations. VMWare and CSA’s research found that one likely reason why organisations struggle with management of misconfigurations is that they are holding their IT operations and information security teams primarily responsible for detecting, monitoring, and tracking potential misconfigurations as well as remediating these misconfigurations rather than distributing responsibilities across the DevOps or application engineering teams who may be accidentally causing such mistakes and are in a better position to directly fix these errors. 

The CSA says it’s important for organisations to shift left the remediation responsibilities to DevOps and application engineering teams in order to manage misconfiguration risk more effectively. The research found the primary reason organisations state for having a security incident due to misconfigurations is ‘lack of visibility’ (68%). The CSA believes It is equally as important for organisations to prioritize tooling that provides improved visibility, effective risk governance and automation. These functions will help improve the organisation’s ability to quickly identify and correct misconfigurations, regardless of the team responsible for them.

Share

Featured Articles

Cloudflare: Dissecting the Cyberattacks of the US Election

Cloudflare reports on traffic shifts and cyberattacks during the US election highlight how the use of digital democracy and cybersecurity go hand in hand

Markel Cyber Director on Lessons from the Crowdstrike Outage

Markel Cyber Director Chris Burgess discusses how the Crowdstrike outage sparked a renewed focus on resilience and cyber insurance

Why Dow Jones Has Increased Its Investment in Ripjar

Dow Jones has increased its investment with Ripjar for the companies ability to strengthen its analytics and compliance services

Who Stands to Fill Top Cyber Posts in Trump Administration?

Cyber Security

DARPA, BBN Technologies and the Cyber Imperative for CPM

Operational Security

Mimecast Updates Bring AI to BEC Battleground

Technology & AI