The state of cloud security

Lack of knowledge and expertise continue to plague security teams. Cyber Magazine looks at VMWare and CSA’s latest report on the state of cloud security.

The worldwide public cloud services market grew 24.1% year-on-year in 2020. With companies relying heavily on public clouds as the driver for digital transformation, the security of their cloud applications, data, and underlying infrastructure remains a top priority for Chief Information Security Officers (CISOs).

Cloud misconfigurations, however, are consistently a top concern for organisations utilising the public cloud. Such errors lead to data breaches, allow the deletion or modification of resources, cause service interruptions, and otherwise wreak havoc on business operations. In a recent survey carried out by the Cloud Security Alliance (CSA) and commissioned by cybersecurity company VMWare one of the key findings was that lack of knowledge and expertise continue to plague security teams. CSA surveyed 1,090 IT and security professionals globally in its ‘State of Cloud Security Risk, Compliance, and Misconfigurations’ report. The lack of knowledge and expertise was repeatedly identified as the primary barrier to general cloud security (59%) the primary cause of misconfigurations (62%) a barrier to proactively preventing or fixing misconfigurations (59%), the primary barrier to implementing auto remediation (56%). 

The findings highlight the trickle-down effect that lack of knowledge can have on security teams. It starts as a general barrier to implementing effective cloud security measures. This leads to misconfigurations, the primary cause of data breaches. But it’s also preventing security teams from implementing a solution, such as auto remediation, which could supplement this knowledge and skills deficit.

Nikhil Girdhar, Product Marketing Leader of Cloud Security Solutions at VMWare says: “Scarcity of experienced cloud security professionals is no hidden secret in the industry. Often, in many companies, a single security professional is seen supporting hundreds of developers using public clouds. Additionally, with the onus of training the broader company on cloud security best practices often falling on central teams, shortage of cloud IT security experts can have an adverse cascading effect on a company’s cloud security posture.”

IT skills gap 

Irish mobile and cloud security company CWSI plans to create 25 new jobs in Ireland and the UK within its service delivery and technical consulting teams. The new roles will include security consultants, delivery and service desk engineers, project and service assurance managers, at a time when there needs to be more experienced cloud security professionals. The Dublin-headquartered company will also  launch a new apprenticeship programme in 2022 in the UK to encourage young people into careers in IT and security. Some of the company’s new hires will be apprentices, who will receive on-the-job training in addition to classroom tutorials. Ronan Murphy, CEO of CWSI, says: “We’ve seen how the IT skills gap has negatively impacted the industry and plan to play our part in encouraging young people to build a career in IT and security in particular.”

According to VMWare, companies facing a shortage of such skills must look at specialised Cloud Security Posture Management (CSPM) solutions to augment and help their understaffed security teams scale cloud knowledge and best practices across the wider organization. With most CSPM solutions enabling standard cloud best practices and compliance frameworks out-of-the box, security teams can quickly help automate identification, reporting, and alerting of cloud misconfiguration risks to developer teams.

According to Gartner, 70% of all enterprise workloads will be deployed in cloud infrastructure and platform services by 2023, up from 40% in 2020. Under this paradigm shift, agent-based solutions are ill-suited to meet the increased complexity and ephemeral nature of the cloud. Exhausted, enterprise security teams are turning to new platforms.

Cloud native platforms

Addressing this issue is Israeli security company Orca Security.  Its Cloud-Native Application Protection Platform (CNAPP) aims to simplify the detection and prioritisation of security issues in minutes, not months. The platform has secured a $550 million extension to the Series C funding round it raised earlier this year. Led by Temasek, an investment company headquartered in Singapore, the round has boosted Orca’s valuation 50 percent in just seven months to $1.8 Billion.

The additional funding will permit Orca to expand its footprint and customer base in the UK and across the EMEA region. The company recently launched versions of its website in German and French to better support its partners, prospects, and customers. In addition, the company is opening a physical office in London, where it will have an expanded sales presence, and a new R&D centre, its first outside of Tel Aviv. Orca Security plans to have over two dozen employees working in London by the end of the year.

Avi Shua, CEO and co-founder, Orca Security says: “Customers are fed up with agent-based tools that claim run-time protection but de facto are little more than a gimmick, typically reach only a fraction of the environment, and don’t provide the context security teams desperately need to prioritise critical alerts.” Orca Security’s patent-pending SideScanning technology collects data directly from cloud provider APIs and the workload’s runtime block storage out-of-band. This means that after a quick and easy one-time deployment, Orca Security surfaces critical attack vectors, composed of the most serious risks such as vulnerabilities, malware, misconfigurations, weak and leaked passwords, lateral movement risk and misplaced PII.

It’s clear to see misconfigurations are a top concern for many organisations. VMWare and CSA’s research found that one likely reason why organisations struggle with management of misconfigurations is that they are holding their IT operations and information security teams primarily responsible for detecting, monitoring, and tracking potential misconfigurations as well as remediating these misconfigurations rather than distributing responsibilities across the DevOps or application engineering teams who may be accidentally causing such mistakes and are in a better position to directly fix these errors. 

The CSA says it’s important for organisations to shift left the remediation responsibilities to DevOps and application engineering teams in order to manage misconfiguration risk more effectively. The research found the primary reason organisations state for having a security incident due to misconfigurations is ‘lack of visibility’ (68%). The CSA believes It is equally as important for organisations to prioritize tooling that provides improved visibility, effective risk governance and automation. These functions will help improve the organisation’s ability to quickly identify and correct misconfigurations, regardless of the team responsible for them.


Featured Articles

ICYMI: New Age of the CISO and cybersecurity trends for 2023

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Kingfisher chooses Google Cloud as catalyst for growth

Google Cloud will support Kingfisher's digital ambitions with a range of solutions, from infrastructure to data analytics.

ICYMI: Cyber predictions for 2023 and trouble in paradise

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Osirium shares its cyber predictions for 2023

Cyber Security

ICYMI: Unloved emails and cybersecurity worth $500bn by 2030

Cyber Security

Cyber security market anticipated to reach $500bn by 2030

Cyber Security