Post banner
Cloud Security 3 Min Read

Cloud Security: Common Gaps & How to Bridge Them

We recently conducted a survey with Enterprise Strategy Group (ESG) to gather data about the state of cloud security today. As they say, numbers don’t lie, and we wanted to know what the numbers say about how well organizations today are progressing toward a more secure future.

Many of the findings were positive, but we also discovered some critical gaps that need to be filled. The survey clarified what we already suspected: As companies invest in additional cloud environments, the associated complexity can lead to significant security lapses. Below, we’ll explain what these cloud security gaps are and what can be done to bridge them.

Multi-Cloud Strategies: The Good, the Bad, and the Ugly

We’ve written before about how multi-cloud strategies can make sense for some organizations, and why we are seeing increasing numbers of them moving in this direction. Today’s cloud platform vendors are increasingly competing on cost and features, and for some organizations, it makes good sense to spread their infrastructure across AWS, Google Cloud Platform, Azure, and others.

Still, most are going with one provider for now. In the survey, we found that 60% of respondents run their workloads on a single cloud provider’s infrastructure, and plan to continue doing so for the foreseeable future. Another 12% currently have multi-cloud environments, while 28% plan to have a hybrid setup within a year.

In other words, 40% of respondents will have hybrid environments in 12 months — a more than 200% increase from last year.

When we take a more granular look, this gets increasingly complex. In fact, over the next 12 months, at least 20% of respondents say they will be running workloads on five different providers. This means that we can expect the cloud landscape to become increasingly distributed and complex from a security standpoint. Each cloud provider has different controls in place, and different best practices for remaining secure. While this shouldn’t necessarily deter you, it’s a good idea to spend time really understanding the nuances between them both before and after you decide to go multi-cloud.

Cloud Security Controls: Wading Through the Complexity

When it comes to securing their environments, 54% of respondents rely on a combination of native and third-party controls, while 25% rely only on the native controls associated with their cloud providers. From a security standpoint, the biggest focus is on data security, given that 53% of companies see production database servers as the most critical cloud workload type to secure.

This focus on data security, perhaps partly motivated by recent high-profile attacks, also underscores respondents’ views on the most effective preventive controls for cloud environments. A full 43% say that anti-malware is the most effective tactic to protect data, followed by 34% who rely most on host intrusion prevention systems. In a likely related finding, 91% of respondents said that data encryption is either “important” or “very important” as a security capability.

Respondents are struggling to maintain a strong security posture as the complexity of their environments increases. For example, 31% report that they struggle to keep up with the rapid and temporal nature of the cloud when it comes to security, while 26% find it challenging to maintain strong and consistent security across multi-cloud environments.

Security Tools: Where Technology Falls Short

Even for those respondents who have strong security measures in place, the tools they are using often fail to accomplish key tasks such as automation via DevOps tool integration (64%), visibility into system-level activity (62%), and even preventing a configuration or software vulnerability (70%). In other words, while many teams are using cloud security tools, if they are not using the right ones, they can’t always spot the red flags that need to be detected.

These alarmingly high numbers are not just a security problem, either. They present real business challenges in the form of delayed sales cycles, as more than half of all respondents report that customers’ stringent security requirements are slowing down deals. While most organizations have a decent cloud security baseline and level of awareness, a majority are still suffering bottom-line consequences due to a lack of comprehensive capabilities.

Takeaways . . .

If the above stats ring true for your organization, the good news is you are not alone! Perhaps the even better news is, there are many ways you can mitigate the complexities of cloud security and improve your overall posture. One good place to start is with our eBook, Cloud Infrastructure Security Buyer’s Guide.

You can also read the full Threat Stack–ESG report. Feel free to down Threat Stack Cloud Security Report 2017: Security at Speed & Scale.