TechBeat: Cloudy? Yes, but simple
Cloud computing, and the security thereof, has become an increasingly important part of the ICT architecture and strategy of Irish organisations. This is especially so in light of digital transformation efforts and ambitions.
However, issues around cost, scalability, control and data protection, have led some organisations to take applications back from public cloud. Also, with other options and approaches now emerging, such as multicloud and edge computing, it has meant that organisations are rethinking architectures and management.
None of these developments have done anything to reduce either the complexity or the burden of protecting data, applications and platforms.
TechBeat, in association with Zinopy and Check Point, conducted a survey among 82 Irish IT professionals to gauge how Irish organisations were utilising cloud options, and more importantly, how they were protecting those usages. The picture that emerges is one of widespread adoption, with a significant intent among those that are not yet doing so, combined with serious concerns in areas such as the security posture of third parties and service providers.
Firstly, respondents were asked whether their organisation had a defined cloud strategy. Almost two thirds (62%) said they did, while close to a third (29%) said they did not but have one in development. Just 9% said they did not have a defined cloud strategy, but later responses suggest that this is not indicative of no cloud usage but rather that such usage is in an ad hoc manner.
Of those that have a defined strategy, the greatest proportion (40%) are using hybrid cloud, with almost a third (31%) using public cloud. A significant 19% are using multicloud, signifying a maturing usage of and comfort with cloud technologies. Just 10% said they use private cloud only.
The survey then asked about worries and concerns around cloud usage and security.
Cyber security worries were elevated more than three years ago, as 80% agreed they were more concerned, but half were in strong agreement.
Again, a majority (70%) were in agreement over fears they would be hacked within the next 12 months, with close to a third (29%) in strong agreement, though this did leave roughly the same proportion in disagreement.
The vast majority (89%) agreed they now think more about a company’s security posture before doing business with them, though 38% were in strong agreement.
However, the largest positive majority (91%) was for the statement that investment in cyber security technologies is a high priority for the organisation, with the strong agreement proportion at almost half.
The next question was to do with issues and concerns that may inhibit the use of a cloud service. Three factors stood clear, with security concerns prioritised by almost three quarters (73%), followed by compliance and cost at two thirds each (66%). This tallies with recent studies by the major analysts that found many enterprise organisations had experienced unexpectedly high costs for applications on public cloud during periods of high utilisation.
Geographic location came in at 51% as a concern, while skill availability figured at 29%. This is a clear indication of the growing issue of specialist skills shortages that are pushing many organisations towards using managed services for security, as well as other tasks.
“It is interesting to note that compliance (66%) and security (73%) are what organisations perceive as the main barriers to cloud adoption,” said John Ryan, CEO, Zinopy. “Yet, most organisations seem to adopt cloud technologies without giving due consideration to these two serious concerns.”
“The explosion of connectedness has provided an unlimited attack surface to the hackers, loss of governance and architectural control in the cloud means organisations are not in control of their security posture and the pervasive use of micro services means there is an immediate distribution of risk across the entire network.”
Ryan points out that many organisations using cloud are not aware of or fail to understand the consequence of the shared responsibility model, where the cloud provider is responsible for the security of the cloud, but customers are responsible for what they deploy to the cloud. He cites a Gartner prediction, that through 2020, 95% of cloud security failures will be the customer’s fault.
“My advice,” said Ryan, “is to treat the cloud as an extension of your own network and invest in the appropriate security services and technologies to provide security controls, governance and security monitoring.”
Business applications were the most common cloud deployments, with 83% of respondents indicating such usage. This was followed by Back up as a Service (51%), storage and data archiving (50%), and disaster recovery and server virtualisation tied on 40%. Interestingly, security services was indicated by just 29%, with managed security operations centre (SoC) at just 4%.
This does not suggest a very mature public cloud usage profile. The predominance of hosted applications and recovery and resilience services would suggest that many organisations are not leveraging the potential competitive advantage of more strategic cloud usage. As digital transformation agendas are implemented, this profile is likely to change with the proportion of recovery and resilience services being reduced in favour of technologies and services that can differentiate and deliver competitive advantage.
When asked about concerns related specifically to use of the public cloud for business applications, where three options were required, the proportions were more evenly spread. In the lead (57%) was unauthorised access to sensitive data by other cloud tenants, cloud provider personnel or third parties. This was followed by poor configuration and security (50%), and an inability to meet audit and compliance requirements (45%). Inability of cloud provider to meet service level (SLA) (38%) was next, with malware intrusion from other cloud tenants at (37%). Somewhat surprisingly, inability to encrypt data within the environment (34%) was the lowest, though still figured quite closely.
The overall picture from this question was to highlight the widespread concern for data integrity and security, probably bolstered by compliance efforts with the likes of the General Data Protection Regulation (GDPR). However, the fact that poor configuration and security was such a worry perhaps indicates a lack of awareness of the shared responsibility model, as highlighted by Zinopy’s Ryan. He highlights the models distributed by major services providers, such as that from AWS, that indicates specifically the areas of responsibilities of the service user, the provider and the platform, and where they may overlap. However, the advice remains the same – treat the cloud just as if it were part of the organisation’s own infrastructure and then protect as appropriate, whether the specific measures are implemented directly by the user or co-opted from a service provider, but all overseen by the user.
When it came to the types of attack that cloud users had experienced, denial of service was the clear leader (39%), followed by account or credential hijacking (30%) and privileged user abuse (16%). However, in the free comment section, the number of respondents who said none of the above came in at a significant 21%, though one other respondent also said that as a security professional, they had encountered all of the specified attack methods. While it is hard to draw conclusions from this, it would suggest that for a good proportion of cloud users, their deployments are safer in the cloud than they would be elsewhere.
In terms of the measures being taken to protect sensitive data and control access to public cloud environment, three were clear leaders: multifactor authentication (65%), anti-malware (64%) and encryption (61%). Somewhat behind were network access controls (52%), log and event management (SIEM) (36%), vulnerability scanning (35%), and application controls (whitelisting) (33%). Identity and access management (IDM/IAM) (31%), intrusion detection/preventions (IDS/IPS) (28%), and forensics and incident response (24%) were all clustered closely. Cloud encryption gateways and/or cloud access security brokers (CASB) was specified by just 11%.
There is nothing of great surprise here, as the levels and types of protections broadly reflect the kinds of usages that were seen earlier, favouring recovery and resilience. However, this would also change as usages become broadly more strategic.
With regard to protection of cloud-based applications, the types of security controls and functions in use were identity and access management (72%), malware detection (71%), and encryption and data protection (68%). Logging and event management (58%) was close to the top three, but vulnerability management (29%) and forensics and incident response (24%) were some way behind. The greatest proportion of the 9% who specified ‘other’, said that none of the protections listed was in use, but one did specify the use of “SD-WAN VPN access, with end to end hardware firewalls for remote users”.
The final question looked again at the subject of skills for cloud computing, as was raised as a concern by near a third (29%) of users. The survey asked how respondents were currently addressing the security/cloud skills shortage, with a multi-option response.
Almost two thirds (65%) said they were developing skills internally, followed by use of a managed service provider and third-party professional service contracting coming in at 50 and 45% respectively. The 7% plus in the ‘other’ category responded that a lack of usage of cloud services had not yet prompted the issue, but that the broad expectation was that developing internal skills would be the common approach.
The survey shows that while cloud adoption in Ireland is widespread, and growing, for the majority, it appears to be still in its infancy in terms of delivering value. With the usage profiles tending more towards resilience and recovery, as well as application hosting, the proportion of multicloud users (19%) would suggest there is a growing sophistication.
This growing usage and sophistication brings with it numerous concerns, namely around data protection, compliance and security, as demonstrated. However, as Zinopy’s Ryan observes, despite security and compliance being top concerns, little thought is given to their implementation and management as organisations develop their cloud usage. This is supported by the low number (9%) that have no cloud strategy at all, but also, it could be argued, by a portion of those who said they do have one and those who said it is in development.
While there appears to be no glaring hole in measures and methods taken to protect cloud applications and platforms, there is still evidence from both users and service providers, that confusion remains as to just where responsibilities for cloud securities lie. Ryan’s advice “to treat the cloud as an extension of your own network,” is sound as a default approach that will ensure that nothing falls between two stools.
While the proportion of respondents who said they do not currently have a cloud strategy but are developing one are coming from the standpoint of having much more knowledge and examples available to them to aid development, they may still be considered laggards, to a degree. The innate conservatism of Irish ICT professionals might be generally a good thing, in the case of cloud one would have to have a very compelling reason not having yet developed a secure cloud strategy, and enjoyed some of the benefits and advantages, when the CEO inevitably asks ‘what are we doing in cloud?”