Cloud security: whose responsibility is it?

Cloud environments are not easy to manage, and one of the direct consequences of this complexity has to do with cybersecurity. A recent study by cloud security firm Venafi revealed that 81% of organisations surveyed had experienced a cloud-related cybersecurity incident in the past 12 months, with almost half (45%) experiencing at least four incidents. Furthermore, the research highlights that the underlying problem behind these incidents is the dramatic growth in complexity in the security and operational areas associated with cloud solution deployments.

The organisations in the study currently host two-fifths (41%) of their applications in the cloud, but expect to raise this to 57% in the next 18 months. This suggests that complexity will grow further. In addition, more than half (51%) of the security decision-makers who were surveyed in the survey believe that the risks are greater in the cloud than on-premise.

Cloud security incidents cited as the most common by respondents include:

• Runtime security incidents (34%)
• Unauthorised access (33%)
• Incorrect settings (32%)
• Unfixed vulnerabilities (24%)
• Failed audits (19%)

Critical operational and security concerns related to cloud migration, meanwhile, are:

• Hijacking accounts, services or traffic (35%)
• Malware or ransomware (31%)
• Privacy or data access problems (31%)
• Unauthorised accesses (28%)
• Attacks by nation states (26%)

The study also investigated how responsibility for cloud application protection is currently being assigned to internal teams. This varies greatly across organizations, with security teams cited by 25% of respondents (largest share), followed by operations teams responsible for cloud infrastructure (23%). Other responsible groups are shared teams (22%), cloud application developers (16%) and DevSecOps teams (10%). However, the number of security incidents indicates that none of these models has been effective in reducing security incidents.

When asked who should be responsible for cloud application security, again there was no consensus. The most commonly cited option was shared responsibility between teams responsible for cloud infrastructure operations and enterprise security teams (24%). Other options are shared teams (22%), developers (16%), and DevSecOps teams (14%).

“Security teams want to share responsibilities with developers who are cloud experts, but are often left out of security decisions. Developers, meanwhile, are making decisions related to architecture and cloud-native tools without involving security teams. And the result of this scenario is the rapid growth of security incidents in the cloud,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

The executive highlights the need to redefine the approach to cloud security and create consistent, observable and controllable services for cloud environments and applications. This approach must embed security into developers’ processes and allow security teams to protect the business without slowing down engineers.

Confirming risks, pointing the way

Another study, this one from the company Snyk, corroborates the complexity faced by security professionals and developers in keeping cloud environments from risks and threats. The survey also pointed out that 80 per cent of organisations interviewed had experienced at least one serious cloud security incident in the past year, such as data breaches, leaks and intrusions. In addition, 41% of respondents said that cloud-native services increase the complexity of environments and further complicate security efforts.

“This new research should serve as a wake-up call that reminds us that the risks in cloud security are universal and are only likely to grow if we continue with outdated approaches and tools. However, the outlook is not entirely bad as the study also clearly reveals that adopting collaborative efforts around DevSecOps can let organisations continue to innovate at their current paces with more security,” says Josh Stella, vice president and chief architect at Snyk.