Security Teams Lack Visibility Into Business-Critical Cloud Infrastructure

Organizations are increasingly leveraging innovative Security-as-a-Service (SecaaS) tools and implementing automation to better secure their assets and improve visibility into their cloud infrastructure, according to findings in a survey released by the SANS Institute.

The results are detailed in a whitepaper sponsored by Evident.io titled Orchestrating Cloud Security (PDF), that surveyed 485 IT professionals who use different cloud providers and service models for a variety of business needs, including collaboration services, email, managed services, backups for disaster recovery, and other common use cases for cloud services.

The study, authored by analyst and network security specialist Dave Shackleford, found that while 40% of organizations said they store or process sensitive data in the cloud, fully one-third (33%) of the survey participants said they do not have enough visibility into their public cloud providers’ operations.

“Security teams are struggling to get enough visibility into cloud provider infrastructure, controls and processes through contracts and audit reports,” the whitepaper states.

“A number of respondents also specifically mentioned the need for greater security automation, whereby security teams have access to tools and scripts that integrate with provider and SecaaS APIs to better secure and monitor their cloud assets.”

In addition, the survey revealed that more than 27% of respondents acknowledge they have little or no incident response support within their public cloud implementations, and in many cases, they are unable to adequately manage and assess security controls or determine exactly who is responsible for various aspects of security and compliance.

“The SANS survey clearly highlights and validates the challenges of cloud migration across companies of all sizes. Organizations moving workloads to cloud architectures such as Amazon AWS understand the flexibility and cost efficiencies gained – but often struggle with new best practices and the shared responsibility needed to maintain a secure cloud-computing environment,” said Evident.io’s Andrew Maguire, who discussed the study in a recent SANS webcast hosted by Shackleford.

“The porting of traditional security technology and agent-based solutions used in the past do not translate well to cloud environments, leaving customers with too much data and poor visibility into critical service configuration or controls that could eventually lead to compromise.”

As the figure above shows, the survey respondents use an array of options, with more than 60% stating they already have or will implement such services in the cloud over the course of the next year.

“Each of these applications involves processing or storing sensitive information within the cloud provider environment, including security and network data that can be used to break into the physical network,” the report noted.

“Preventing exploitation across these applications and their associated attack surfaces is now a key support goal for security groups with any type of dynamic cloud-based operation.”

Despite the inherent risks when migrating critical operations and sensitive data to the cloud, organizations that have made the leap are reaping the benefits in the form of optimized business performance, increased agility, and overall cost savings.

Nearly two-thirds (61%) cited faster time to deployment as primary benefit, and nearly half (48%) indicated that they have also benefitted from the use of cloud services as a convenient way of managing compliance demands.

“With all these different types of sensitive data represented in today’s cloud environments, organizations need to comply with various regulatory and industry compliance mandates,” the report said.

“Given that CIOs and their businesses are dealing with more and more compliance requirements, trying to offload some of this work to cloud providers actually starts to make sense.”

The SANS study also notes that the increased focus on security and compliance has spurred new and innovative SecaaS offerings to manage controls for securing systems, applications, and data in the cloud.

“Survey respondents have had some success implementing security and data protection technologies and processes in their cloud environments. The use of SecaaS controls are also expected to increase, especially as providers partner with security service companies to offer more seamless integration and functionality,” the report said.

“A number of respondents also specifically mentioned the need for greater security automation, whereby security teams have access to tools and scripts that integrate with provider and SecaaS APIs to better secure and monitor their cloud assets.”

The full SANS whitepaper (PDF) can be downloaded here (no registration required).

For more details and analysis of the study, access the recent SANS webcast that was hosted by Shackleford and included guests Andrew Maguire from Evident.io, Intel Security’s Margaret Diego, CloudPassage‘s Sami Laine, and Mark Painter from HP Enterprise Security.