Security is battling to keep pace with cloud adoption

Six out of 10 information security professionals say business adoption of cloud is outstripping their ability to keep pace with securing these environments, according to the inaugural annual State of hybrid cloud security survey by network security management firm FireMon.

The survey findings highlight the fact that the speed of cloud business initiatives is hampering respondents’ ability to secure and manage hybrid environments, with security personnel often not included in cloud business initiatives.

The survey, of 400 information security professionals, is aimed at shedding light on the challenges security and network professionals face as businesses expand hybrid cloud initiatives. The majority of respondents are located in North America (74%), followed by Asia Pacific (12.6%), Europe, the Middle East and Africa (10.1%) and Latin America (3.3%).

The survey found that only 56% of respondents indicated that network security, security operations or security compliance teams are responsible for cloud security.

In the remaining 44% of cases, IT/cloud teams, application owners or other teams outside the security organisation are responsible for cloud security.

Similarly, the relationship between security and DevOps is inconsistent across organisations, which the survey report said can have a negative impact on the consistency of cloud security controls, as more enterprises deploy “as-a-service” models in the cloud.

In some cases, DevOps and security are fully aligned and working well together, but in other cases, the relationship is difficult or even dysfunctional. Almost 40% of respondents said they are using infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS) models concurrently.

While 30.7% of respondents said they are part of the DevOps team, as part of the emerging DevSecOps trend, 30% indicated that their relationship with DevOps is complicated, contentious, not worth mentioning or non-existent.

The survey found that enterprises are inadvertently introducing complexity into their environments by deploying multiple systems on-premise as well as across multiple private and public clouds. That complexity is compounded by a lack of integrated tools and training that are needed to manage and secure hybrid cloud environments. 

Respondents also cited a lack of integration across tools, and shortage of qualified personnel or insufficient training for using the tools, as key roadblocks to achieving cross-environment security management.

While 59% of respondents said they use two or more different firewalls in their environment and 67% said they are also using two or more public cloud platforms, only 28% said they are using tools that can work across multiple environments to manage network security. 

Almost 36% said they are using native tools for each environment or manual process, which means they are managing security in a standalone fashion within each component of a hybrid environment, the survey report said.

More than four out of 10 respondents said their top three challenges for securing public cloud environments are lack of visibility, lack of training and lack of control.

The transition to hybrid cloud environments has dramatically expanded the enterprise attack surface and, consequently, the range of assets that must be secured, but security resources are not expanding on the same scale, the survey report said.

Budget and staffing are the key resource constraints cited, with 57.5% of respondents indicating that less than 25% of their security budget is dedicated to cloud security and 52% saying they have security teams of 10 people or fewer.

“The results of our survey are compelling, but not surprising,” said Tim Woods, vice-president of technology alliances at FireMon. “In large, complex enterprise environments, budget constraints, lack of clarity around which team is responsible for cloud security, and the absence of standards for managing security across hybrid cloud environments are impairing organisations’ ability to secure their cloud business initiatives.

“This problem will be solved only with a new generation of security technologies and processes that fully integrate with DevOps and provide end-to-end visibility and continuous security and compliance across hybrid environments.”

Woods said the survey provides a clear indication that many companies are no longer aligned to a central security policy or security doctrine that provides the necessary security guardrails across their hybrid environments.

“In the absence of a concise security rule book, where departments are managing their own security controls, they will do so on a best-effort basis,” he said. “You can be guaranteed that this opens the door for increased risk. 

“If decentralised security responsibility is the future for cloud-first strategies, and we believe it is, then we must look for a way to re-establish a global security management strategy that aligns business intent with compliance intent, with security intent. 

“Security implementations should closely reflect a central security doctrine. Security must be a component of application deployments where both are synchronised to each other.”