With organizations increasingly moving to the cloud, it’s not surprising that threat actors are increasingly attacking cloud-based applications.
New research from Venafi shows how deep the problem may be.
According to a survey released Wednesday, 81 per cent of security decision-makers it questioned said their firm had experienced a cloud-related security incident over the last 12 months. Almost half (45 per cent) said their organization suffered at least four incidents.
“The underlying issue for these security incidents is the dramatic increase in security and operational complexity connected with cloud deployments,” Venafi concludes.
Venafi, a provider of machine identity management solutions, surveyed just over 1,100 security decision makers across the United States, United Kingdom, France, Germany, Benelux (Belgium, Netherlands, Luxembourg) and Australia.
Respondents said 41 per cent of their applications were hosted in the cloud, and expect that percentage to grow to 57 per cent over the next 18 months.
Just over half of the respondents believe security risks are higher in the cloud than on-premises.
The most common cloud-related security incidents respondents have experienced are:
- security incidents during runtime (34 per cent);
- unauthorized access (33 per cent);
- misconfigurations (32 per cent);
- major vulnerabilities that have not been remediated (24 per cent);
- a failed audit (19 per cent).
The study also showed that responsibility for securing cloud-based applications varied widely across the organizations respondents work for. Enterprise security teams (25 per cent) were the leading group, followed by operations teams responsible for cloud infrastructure (23 per cent), a collaborative effort shared between multiple teams (22 per cent), developers writing cloud applications (16 per cent) and DevSecOps teams (10 per cent). “However,” Venafi said, “the number of security incidents indicates that none of these models are effective at reducing security incidents.”
When asked who should be responsible for security of cloud-based applications, there was still no clear consensus. Twenty-four per cent of respondents said responsibility should be shared between cloud infrastructure operations teams and enterprise security teams, while 22 per cent said it should be shared with multiple teams, followed by developers writing cloud applications (16 per cent), and DevSecOps teams (14 per cent).
“The challenges with shared responsibility models are that security teams and development teams have very different goals and objectives,” says Venafi. “Developers need to move fast to accelerate innovation while security teams often do not have visibility into what development teams are doing. Without this visibility, security teams cannot evaluate how those controls stack up against security and governance policies.”