The adoption of hybrid cloud solutions by enterprises across various sectors is taking place on such a grand scale that security teams are struggling to secure such solutions in a timely manner, say information security professionals.
Many enterprises are using hybrid cloud solutions such as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS), making it necessary for their IT security teams to ensure network security across hybrid cloud environments.
However, 60 percent of information security professionals said in a survey carried out by FireMon that their organisations' cloud-based initiatives are accelerating faster than their ability to secure them, thereby leaving large security holes in cloud-based solutions for hackers to exploit.
Infosecurity professionals also said that the deployment of multiple solutions on-premise as well as across multiple private and public clouds by enterprises has introduced complexity into their environments which is further compounded by a lack of integrated tools needed to manage and secure hybrid cloud environments.
For instance, while 59 percent of infosecurity professionals said they are using two or more different firewalls in their environment, 67 percent said their organisations have deployed two or more public cloud platforms. The use of multiple firewalls and cloud solutions isn't necessarily beneficial for enterprises as more than 44 percent of IT security workers struggle due to lack of visibility, lack of training and lack of control over such platforms.
What makes things worse for IT security teams at enterprises is that a majority of such teams are composed of fewer than ten people, less than 25 percent of their security budget are dedicated to cloud security, and only 28 percent of them have tools that can work across multiple environments to manage network security.
"In large, complex enterprise environments, budget constraints, lack of clarity around which team is responsible for cloud security, and the absence of standards for managing security across hybrid cloud environments are impairing organizations’ ability to secure their cloud business initiatives," said Tim Woods, vice president of of Technology Alliances at FireMon.
He added that many enterprises are no longer following a central doctrine that provides the necessary security guardrails across their hybrid environments, but allowing individual departments to manage their own security controls and this opens the door for increased risk.
"This problem will only be solved with a new generation of security technologies and processes that fully integrate with DevOps and provide end-to-end visibility and continuous security and compliance across hybrid environments," he added.
"Cloud adoption continues to rapidly grow for good reasons. However, unless well-managed cloud use can also bring a loss of control and the impact on an organisation’s security posture. The security controls and processes that IT staff are using on-premise do not easily translate to the cloud. In some cases, "stealth IT" means security and IT teams may not even know that new cloud services are being commissioned, and are creating visibility, control, and compliance gaps," said Matt Walmsley, EMEA director at Vectra to SC Magazine UK.
According to Walmsley, security architectures that enable unified visibility of both on-premise and cloud instances ensure that there are multiple opportunities to detect, understand and respond to dangerous multi-stage attacks that manifest in different locations and systems during their life cycle.
"It’s evident that cloud adoption has accelerated over the last few years, at the same time cloud mis-configurations have overtaken ‘phishing’ as the top source of data breaches. These two facts do not sit in isolation, if the cloud is to be used, then organisations must ensure that the security team has oversight of cloud adoption. Appropriate threat modeling and security rigor are business enablers, and allow business to move forward in terms of technology. This fact is often forgotten," said Ed Williams, EMEA director of SpiderLabs at Trustwave.
"As well as businesses, security individuals and teams must ensure that cloud adoption is catered for, SaaS, PaaS and IaaS are different models to traditional enterprise suits and require different solutions to ensure a mature level of security that is enterprise ready."
FireMon's survey also found that in many cases, IT security teams are not even consulted by other departments when deploying new hybrid cloud solutions. When asked if security departments are still being viewed as hindrances rather than facilitators by other departments, Walmsley said that while it is certainly the case in many organisations, the security function needs to become the trusted advisor that partners with the lines of business, having a discussion about risk, and being part of the solution that appropriately secures new business initiatives.
"In progressive organisations cyber-security isn’t just seen as a technology and policy issue. The line of business needs to take on some accountability for security decisions that affect them, and security becomes a shared issue across all elements of the enterprise. This changing of organisational mindset isn’t easy, takes time, and requires an adept CISO who can move, influence and carry respect in both the business and security and risk domains," he added.