State of Cloud Security Concerns, Challenges, and Incidents
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
State of Cloud Security
Concerns, Challenges,
and Incidents
Acknowledgments
Lead Authors:
Hillary Baron
Sean Heide
Shamun Mahmud
John Yeoh
Designers:
Stephen Lumpe
AnnMarie Ulskey
Special Thanks:
Yitzy Tannenbaum, Product Marketing Manager, AlgoSec
© 2021 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org
subject to the following: (a) the draft may be used solely for your personal, informational, non-
commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote
portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to the Cloud Security Alliance.
2 © Copyright 2021, Cloud Security Alliance. All rights reserved. © Copyright 2021, Cloud Security Alliance. All rights reserved. 3
Table of Contents Survey Creation And Methodology
Survey Creation And Methodology......................................................................................................4 The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to widely promote
best practices for ensuring cyber security in cloud computing and IT technologies. CSA is also tasked
Goals of the study................................................................................................................................4
with educating various stakeholders within these industries about security concerns in all other forms
Executive Summary.............................................................................................................................5 of computing. CSA’s membership is a broad coalition of industry practitioners, corporations, and
Key Findings.........................................................................................................................................5 professional associations. One of CSA’s primary goals is to conduct surveys that assess information
security trends. These surveys help gauge the maturity of information security technology at various
Key Finding 1: Organizations are continuing to move to complex cloud environments..................5
points in the industry, as well as the rate of adoption of security best practices.
Key Finding 2: Cloud provider’s native security controls not enough for many organizations........6
Key Finding 3: Organizations look for security tools that can supplement their workforce............7 AlgoSec, a leading network security solution provider, commissioned CSA to develop a survey to add
Public Cloud Usage..............................................................................................................................8 to the industry’s knowledge about hybrid-cloud and multi-cloud security, and to prepare this report
of the survey’s findings. AlgoSec financed the project and co-developed the initiative by participating
Public cloud platforms organizations are using..............................................................................8
with CSA in the development of survey questions addressing hybrid cloud security. The survey was
Expectations being met by public cloud.........................................................................................8 conducted online by CSA from December 2020 to January 2021, and was submitted to nearly 1900
Past, present, and future cloud workloads.....................................................................................8 IT and security professionals from a variety of organization sizes and locations. The data analysis was
performed by CSA’s research team.
Team Responsible for Managing Security in Public Cloud..............................................................9
Cloud Security Concerns....................................................................................................................10
Concerns when adopting cloud...................................................................................................10
Goals of the study
Addressing staff expertise in cloud security................................................................................. 11 • Understand current and estimated future cloud usage
Concerns when running applications in pubic cloud.................................................................... 11 • Determine the current security concerns during cloud adoption and deployment
Tools.................................................................................................................................................. 12 • Identify the security tools organizations are using to address security concerns
• Understand occurrences and causes of cloud-related security incidents
Network security controls........................................................................................................... 12
Tools for Application Orchestration............................................................................................. 13
Sought after benefits in cloud security management tools..........................................................14
Cloud Security Incidents And Outages...............................................................................................14
Cloud-related operational incidents............................................................................................14
Outage contributors.................................................................................................................... 15
Downtime from most disruptive outage...................................................................................... 16
Demographics.................................................................................................................................... 16
Industry....................................................................................................................................... 16
Organization Size......................................................................................................................... 17
Role............................................................................................................................................. 18
Location....................................................................................................................................... 18
4 © Copyright 2021, Cloud Security Alliance. All rights reserved. © Copyright 2021, Cloud Security Alliance. All rights reserved. 5
Executive Summary Key Finding 2
Cloud providers’ native security controls are not
The use of cloud services have continued to increase over the past decade. Particularly in the
wake of the COVID-19 public health crisis, many enterprises’ digital transformations are on an
enough for many organizations
accelerated track to enable employees to work from home. CSA developed and distributed a survey
Organizations have increasingly turned to cloud providers’ additional security controls and virtual
to better understand the current cloud security concerns, challenges, and incidents.
firewalls. The use of cloud providers’ additional security controls jumped from 58% in 2019 to 71%
in 2021. Approximately half of the organizations turned to third party providers for virtual editions of
Key Finding 1 firewalls for network security controls. This could indicate that while many organizations are moving
to public cloud, many are still utilizing legacy and hybrid environments, and need uniform control
Organizations are continuing to move to complex across many different environments. Additionally, with the current health crisis and the dramatic
cloud environments increase in remote workers, many organizations are unable to secure their network as they have
previously and must turn to additional and alternative security controls.
Over half of organizations are running 41% or more of their workloads in a public cloud.
This is up significantly since 2019, which found that just 25% were running 41% or more of their
workloads in public cloud. In 2021, 63% of respondents expect to be running 41% or more of their
workloads in public cloud, indicating this trend toward public cloud will only continue. No doubt
encouraged by the increase in remote workers due to the recent health crisis.
74% 71% 49% 22% 5% 2%
2019 Actual 2020 Predicted 2020 Actual 2021 Predicted Cloud provider’s Cloud provider’s Virtual editions of Host based Unsure Other
native security additional security traditional firewalls enforcement
controls controls deployed in the
All on-premise 10% 4% 0% 1%
cloud environment
1-20% 38% 15% 22% 13%
21-40% 21% 24% 21% 21%
41-60% 11% 19% 24% 22%
61-80% 6% 18% 15% 18% Key Finding 3
Organizations look
81-100% 8% 14% 13% 21%
Don’t know 7% 8% 4% 6%
1 Clear visibility (topology, policy) for the
for security tools that
entire hybrid network estate
Another survey conducted by CSA in 2020 also indicated that the diversity of production
(multi-cloud and on-prem)
can supplement their
workloads (e.g. container platforms, virtual machines) is also expected to increase. Combine this 2 Proactively detect network risks
workforce
with the continued use of multi-cloud (62%) found in this current survey and the growing remote
workforce, and an ever-more complex cloud environment continues to emerge. This complex 3 Proactively detect misconfiguration
risks (e.g. IAM) A complex environment, combined with
environment will inevitably lead to a need for supplementary security tools to improve the
insufficient security staff and a lack of cloud
organization›s public cloud security.
4 Automation, uniform change manage-
knowledge, has driven organizations to turn
ment across the different security
controls to security tools that can help supplement
their workforce. Three of the top four benefits
5 Regulatory compliance reports organizations look for in security management
tools are for proactive detection of risks and
6 Clean up cloud security controls with
automation. These types of tools can supplement
excessive rules
the challenges many organizations are
7 Ease of migration of workloads from experiencing with lack of expertise (47%) and staff
on-prem to cloud (32%) as well as improve visibility as they move
toward an ever-changing cloud environment.
6 © Copyright 2021, Cloud Security Alliance. All rights reserved. © Copyright 2021, Cloud Security Alliance. All rights reserved. 7
Public Cloud Usage Past, present, and future cloud workloads
Organizations were asked to estimate the percentage of workloads their organization is currently
running in the cloud and then predict what they’ll be running at the end of 2021.
67% 37%
Public cloud 2019 Actual 2020 Predicted 2020 Actual 2021 Predicted
platforms All on-premise 10% 4% 0% 1%
organizations 1-20% 38% 15% 22% 13%
10% are using 21-40%
11%
21%
19%
24% 21%
24%
21%
22%
41-60%
61-80% 6% 18% 15% 18%
There is not one dominant public cloud 81-100% 8% 14% 13% 21%
11% platform in the market. The market
Don’t know 7% 8% 4% 6%
share among the top providers has
65%
become more evenly spread. AWS is
9% used by 67% of organizations surveyed In our previous survey, we asked a similar question regarding their current workloads in 2019 and predict what they’ll
be running at the end of 2020. We have included all four estimates in the graph below. When comparing the 2019 actual
with Azure a close second at 65%.
workloads to the 2020 actual workloads, there are significant increases seen in the ranges 41-60%, 61-80%, and 81-100%. The
The majority of organizations are also
1-20% range saw a corresponding decrease although not quite as dramatic as predicted in the previous report. The percentage
utilizing a multi-cloud strategy (62%) of organizations in the 21-40% range, on the other hand, remains relatively unchanged, sitting at the 21% mark indicating that
with 27% using three or more public it is taking a bit more to get past the 40% mark. Perhaps this is due to a focus on more diverse workloads, which was noted in
cloud platforms. a previous survey by CSA, rather than the lift and shift method.
Team responsible for managing security in public cloud
Expectations being Respondents reported a wide variety of teams who are responsible for managing security in the public
cloud. Security operations was the most common response with 35%, followed by the cloud team at
met by public cloud Reduced Cost 18% and IT operations with 16%. All other teams, including network operations, DevOps engineers/
B E TTER TH AN EX PE C TED
WOR SE TH AN EXP EC TED
managers, application owners, and managed service providers, all fell below 10%. This is an area
Organizations often migrate to the where either there is not as much consistency from organization to organization or perhaps confusion
public cloud due to the promises
Increased Agility and Elasticity regarding which team owns public cloud security.
and expectations made by providers
including: reduced cost, increased
agility, and elasticity, DevOps-friendly, DevOps-Friendly 35% Security Operations
and improved uptime. On average, 18% Cloud Team
organizations are finding that public 16% IT Operations
clouds meet these expectations or even Improved Uptime 9% Network Operations
slightly exceed them. 8% DevOps Engineers/Manager
6% Application Owners
4% Managed Service Provider
2% Not sure
3% Other
8 © Copyright 2021, Cloud Security Alliance. All rights reserved. © Copyright 2021, Cloud Security Alliance. All rights reserved. 9
Cloud Security Concerns Concerns when running applications in public cloud
Concerns when adopting cloud
Respondents were also asked
Network security Respondents were asked to select the concerns about their concerns once
58% their organization had while adopting public cloud.
The most frequently selected response was 1 Sensitive data leakage applications were running in the
Staff lacks cloud expertise
“network security” (58%). This was followed by public cloud.
47%
“staff lack cloud expertise” (47%), “migration of
2 Service outages
Migration of workloads to the cloud workloads to the cloud” (44%), and “insufficient 3 Configuration and security settings On average, the highest ranked security concern
44% amount of staff to manage cloud environments” was “sensitive data leakage,” which is consistent
(32%). It is worth noting that the second and 4 Unauthorized internal access with the previous survey in 2019. “Services
Insufficient amount of staff to manage cloud environment
outages”, “configuration and security settings”,
32%
fourth most commonly selected responses are
5 Compliance with regulatory compliance
“unauthorized internal access”, “compliance
both related to issues with staff, with a combined
Integration with the current IT environment total of 79% surpassing the most frequently 6 Ransomware with regulatory compliance”, and “ransomware”
14% selected response “network security.” In another received a similar average ranking of about
CSA survey published in 2019, a similar question
7 Vendor technology vulnerabilities
moderate concern. Although “vendor technology
Regulatory compliance
was asked. A notable shift has occurred as three vulnerabilities” received the lowest average
13%
of the current top four (staff lacks cloud expertise, ranking, it fell just below moderate concern. This
Lack of visibility migration of workloads to the cloud, and an was somewhat surprising since the SolarWinds
9% insufficient amount of staff to manage cloud hack was reported while this survey was open.
Legal concerns environment) were previously within the bottom However, even with this issue being more salient,
8% four. This rather dramatic shift could be attributed it still was the lowest ranked issue.
to the current health crisis. Many organizations
Cost
may be struggling with how to address a largely
8%
remote workforce.
Addressing the skills gap Industry trainings and certifications for staff
(e.g. CSA, ISC2, ISACA, SANS)
in cloud security 55%
Informal or staff self training
The top three ways organizations are 54%
addressing the skills gap are “industry
Customer training from vendors on products
training and certifications for staff” (55%),
53%
“informal or staff self training” (54%),
and “customer training from vendors on Outsourcing staff
products” (53%). Much less commonly 27%
selected at 27% was outsourcing staff. The
Not addressed
least frequently selected option was “not
7%
addressed” at 7%.
Unsure
5%
Other (please specify)
2%
10 © Copyright 2021, Cloud Security Alliance. All rights reserved. © Copyright 2021, Cloud Security Alliance. All rights reserved. 11
Tools Sought after benefits in
cloud security
1 Ease of migration of workloads from
Network security controls on-prem to cloud management tools
2 Clean up cloud security controls with
When asked about the benefits they look for
To better understand how organizations were navigating the security of their public cloud excessive rules
in security management tools, the top ranked
deployments, respondents were asked about the network security controls they used. Many
respondents reported using a combination of controls. The most commonly selected option was “cloud 3 Regulatory compliance reports response was visibility. This has been a common
complaint with regards to cloud environments,
provider’s native security controls” (74%), which remains consistent with a prior survey performed by
4 Automation, uniform change especially with the popularity of hybrid and multi-
CSA. A close second was “cloud provider’s additional security controls” (71%), which has seen a notable management across the different
cloud environments. Closely following visibility
rise from the previously reported 58%. However, nearly 50% of respondents have found these methods security controls
was the ability to proactively detect network
alone insufficient and have turned to 3rd party’s “virtual editions of traditional firewalls.”
5 Proactively detect misconfiguration risks and proactively detect misconfigurations.
risks (e.g. IAM) Respondents then ranked automation of uniform
change management across different security
6 Proactively detect network risks
controls and regulatory compliance fourth and
7 Clear visibility (topology, policy) for the fifth, respectively. The tools that organizations
entire hybrid network estate are looking for largely supplement their current
(multi-cloud and on-prem) challenge with a lack of staffing and cloud
74% 71% 49% 22% 5% 2%
expertise.
Cloud provider’s Cloud provider’s Virtual editions of Host based Unsure Other
native security additional security traditional firewalls enforcement
controls controls deployed in the
cloud environment
Tools for application orchestration
Security management can take many forms within security application orchestration. Respondents
Cloud Security Incidents and Outages
were asked about the tools they currently use to manage security as part of their application
orchestration process. Over half of respondents reported using cloud native tools (52%) and
orchestration and configuration management tools (50%). Around a third reported using home-grown
Cloud-related operational
scripts (35%) and manual processes to manage security (29%). incidents 11% Yes
Many organizations attempt to prepare for
security incidents, such as breaches and outages. 41% Unsure
When asked whether their organization had
experienced a cloud-related operational incident
20% No incidents
in the last 12 months, 11% reported definitively
52% 50% 35% 29% 7% 6%
having a security incident, 20% reported no
27% Prefer not
incidents, and 27% preferred not to answer. to answer
Cloud native Orchestration and Home-grown scripts Manual processes to Unsure None However, the most common response was
tools configuration leveraging cloud manage security
management tools vendor’s APIs in the cloud unsure with 41%, which is a significant change
from the 2019 survey in which only 18% didn’t Respondents were also asked to report the number of
incidents that they experienced, with the average response
know whether an incident had occurred. Equally
being five. This seems relatively low when considering that
as interesting, the percentage of respondents large cloud platforms have many incidents throughout the
reporting that they have had an incident (11%) week, although many may not be disruptive enough to
has remained consistent from the 2019 survey. significantly impact users.
12 © Copyright 2021, Cloud Security Alliance. All rights reserved. © Copyright 2021, Cloud Security Alliance. All rights reserved. 13
Outage contributors Cloud provider issue
26%
Demographics
Following the question about the number of
Security misconfiguration This survey was conducted from December 2020 to January 2021 and gathered 1900 responses from
incidents, respondents were asked about the
22% IT and security professionals from a variety of organization sizes, industries, locations, and roles.
main contributors to these incidents. The most
common response was cloud provider issues Security Attacks such as denial of service (DoS)
s
ut y
tie
t
s,
an per
al
ili
(26%), followed by security misconfiguration
)
ify
tic
o
ns
20%
ga pr
y
ec
eu
d
s
n
io
og
s
ce
d
t tio
Sp
ce
ac
at
(22%), and security attacks such as denial of
, o an
ol
vi
s
tio ng
ic
or bu
vi
m
e
er
n
n
na nd
un
or
er
as
ec ar
ch
uc ri
sp tri
er tio
n
ls
il/
ct
u
ls
si s a
ot h
m
e
te
service (20%). Less commonly selected were
an is
od ct
ia
Network bandwidth issues
h
En ruc
Pl
Bi , P
se
m
tr , d
es es
nc
pr fa
d
r(
gy
d h
co
o
an
c
st
d nu
d ail
of in
na
t
e
i
l
bl
n
th
le
an ea
pr us
an et
network bandwidth issues (16%) and insider
an Ma
IT
Fi
Co
16%
Pu
Te
O
H
R
B
%
%
4%
8%
6%
6%
2%
7%
5%
7%
7%
16
33
threat (7%). Several of the top contributors can
be tied back to human error or misconfiguration, Insider threat
Industry
which is very likely due to the lack of staffing 7%
and expertise that organizations are currently
Unsure What industry does your organization belong to?
grappling with.
17%
0
s 0
s 0
ee ,00
ee 00
ee 0
Can’t disclose
ee 0
oy ,0
oy 0+
oy ,0
oy 0
oy ,0
oy 0
pl 1-5
s
s
s
s
s
pl 1-2
pl 1-1
pl -50
pl ,00
pl 1-1
ee
ee
ee
pl 0
0
em ,00
em ,00
em 1-5
oy
20%
em 50
em 51
em 10
em 5,0
2
1
%
%
%
%
8%
9%
9%
24
23
10
15
Downtime from most disruptive outage Organization Size
What is the size of your organization?
Respondents were also asked about the impact of the most disruptive cloud outages. For over 25%
of respondents it took longer than three hours to restore normal operations. This has remained
r
ct
ne
s
er
ite
tie
w
consistent with the 2019 survey which had similar results. It is concerning that such disruptive outages
ag
h
ili
/O
rc
an
ut
r
ct
y
ns
ce
/A
ct
ns
rit
/M
d
ite
r
ite
io
ffi
ns
io
an
continue to plague the industry and cost organizations considerable financial and productivity loss.
ce
cu
er
ch
t
O
t
ch
io
ra
ffi
ra
Se
s
ne
Ar
t
ga
y
pe
O
Ar
pe
ra
rit
n
gi
il/
er
e
O
pe
io
O
n
cu
En
nc
,o
nt
io
at
k
O
y
Se
or
ia
at
rit
gy
ps
Ce
m
d
pl
w
ic
cu
d
r
ou
O
er
fo
SO
m
a
et
pl
ou
O
ev
at
En
Se
Cl
In
Co
Ap
N
CI
CI
Cl
D
D
%
%
%
%
%
4%
6%
6%
3%
5%
5%
7%
10
19
12
13
11
Operational loss of longer
4%
than a working day
Operational loss of a
working day
8% Role
What is your primary role?
25% Loss of some features 21% Europe
Operational loss of 3-5
14%
hours
Operational loss of less
26%
than an hour
North America 45%
Operational loss of 1-3 20% Asia
26%
hours
Central America 5%
South America 5%
Location
What area are you located in? 2% Africa 4% Pacific Islands/
Oceania
14 © Copyright 2021, Cloud Security Alliance. All rights reserved. © Copyright 2021, Cloud Security Alliance. All rights reserved. 15
About Algosec
The leading provider of business-driven network security management solutions, AlgoSec helps
the world’s largest organizations align security with their mission-critical business processes. With
AlgoSec, users can discover, map and migrate business application connectivity, proactively analyze
risk from the business perspective, tie cyber-attacks to business processes and intelligently automate
network security changes with zero touch – across their cloud, SDN and on-premise networks. Over
1,800 enterprises, including 20 of the Fortune 50, have utilized AlgoSec’s solutions to make their
organizations more agile, more secure and more compliant – all the time. Since 2005, AlgoSec has
shown its commitment to customer satisfaction with the industry’s only money-back guarantee.
Sponsors are CSA Corporate Members who support the findings of the research project but have no
added influence on the content development or editing rights of CSA research.
© Copyright 2021, Cloud Security Alliance. All rights reserved. 16
You can also read
