Companies Lack Capabilities to Secure Cloud Infrastructure: Report

Businesses lack dedicated security teams focused specifically on protecting cloud resources from threats, and most organizations are in an entry-level phase in terms of their overall cloud security capabilities.

These were among the findings of an Osterman Research survey, sponsored by cloud infrastructure security company Ermetic, of 326 organizations in North America with 500 or more employees and that spend a minimum of $1 million or more each year on cloud infrastructure.

The study found that 56% of organizations are spending at least $10 million each year on cloud infrastructure, but 80% of organizations do not have a dedicated cloud security team or leader to secure its cloud infrastructure.

Moreover, only 5% of survey respondents currently meet the standards of the highest level —Automated & Integrated — of Ermetic's cloud security maturity model, which defines the key guidelines for a comprehensive security strategy, while 93% of large organizations are only at the low levels of cloud security maturity.

More than half (57%) of organizations adopting a multicloud strategy said they are

operating at the lowest level of cloud security maturity.

Related: The State of Cloud Security

The survey indicated that with each additional cloud, maturity of cloud security practices seems to get increasingly stuck at the "ad hoc" level.

Why Dedicated Cloud Security Team Is a Must to Secure Cloud Infrastructure

A dedicated security team is crucial for protecting cloud resources and services, since hundreds of services need to be protected and each service is a potential attack surface for hackers, according to Igal Gofman, head of research for Ermetic.

"Access management around resources is a complex task and requires deep knowledge of each vendor's access model," he said.

Gofman pointed out that cloud services can be easily accessed from anywhere and are an easy target for attackers since many have excessive permissions.

"We see more and more breaches that involve cloud services," he said. "These include non-sophisticated cryptocurrency attacks and advanced targeted nation-state cyber operations."

From Gofman's perspective, it's essential to have at least one cloud expert on your team.

"If you have a limited budget, I suggest staying away from multicloud deployments as it's hard enough to manage one cloud infrastructure," he said.

Gofman's recommendation is to set up two separate environments, "staging" and "production," and do all the access and policy building in the staging environment before pushing to production.

"Use third-party services to get better visibility into what's going on in your environment and test for excessive permissions," he said.

Jasmine Henry, field security director at JupiterOne, a provider of cyber asset management and governance solutions, says JupiterOne's research aligns with Ermetic's discoveries — there has been a significant evolution in cloud-native security, and security practitioners face new demands.

Related: Cloud Security: Why Understanding Vulnerabilities vs. Threats vs. Risks Matters

The average security team is responsible for 32,190 devices, including 28,872 cloud hosts, making it impossible for security practitioners to be effective if they rely on manual approaches or operate with limited visibility.

"Protecting cloud resources is a unique skill set in comparison to legacy IT security," Henry said. "Legacy skill sets, mindsets, and certifications have not kept pace with the security demands of our cloud-native environments."

The cloud security evolution isn't entirely negative however, she said, since it has created an incredibly level plane of competition for businesses.

"An organization's cloud security visibility and talent agility matter much more than the age, size, or total cloud investment of their competition," Henry said.

Gofman cites overprivileged infrastructure as another a big issue, pointing out that attackers use stolen credentials to get an initial foothold; from there, they use a variety of privilege escalation techniques to get to the crown jewels.

"Each year we see more and more attacks on cloud infrastructure as hackers evolve alongside their targets," Gofman said. "As cloud adoption grows, we will see more advanced attacks."

The best strategy is to follow the least privilege model, he said.

"The cloud is a new way of thinking about how we manage our workloads and data, and it requires us to rethink security," Gofman explained.

Excessive permissions make everything accessible from the internet and enable attackers to manipulate the network guardrails.

"Make sure your team has a solid understanding of each security service and feature and has read all the available documentation for the services you use," Gofman advised. "Avoid going to production before testing security in a staging environment. Also, implement a proactive logging strategy."

Many cloud platforms offer robust logging systems that organizations should use to their advantage, he said.

Cloud Threats Are Evolving

John Yun, vice president of product strategy at ColorTokens, a provider of autonomous zero-trust cybersecurity solutions, agrees that, as organizations scale up their cloud adoption, cyberthreats are also evolving.

Many of the benefits organizations hope to gain with the cloud — its scalability, anywhere access, and ephemeral nature of resources — are also being leveraged by cyberattackers, he said.

"While similar vulnerabilities and attack patterns can be leveraged to target on-premises and cloud environments, the method of detection and remediation varies drastically based on the environment," he said.

Dedicated security teams that can implement security measures with the understanding of these nuances are "a must" as organizations adopt cloud and multicloud environments, according to Yun.  

"It's important for organizations to focus on key areas they need to address and not lose their focus on trying to solve the big picture down the road," he said.

Some of the fundamental challenges such as configuration drift and patch management continue to exist and have become more complex in multicloud environments.

"Organizations shouldn't overlook these challenges as cyberattacks will aim to get in first using the least amount of effort and complexity," Yun said.

As organizations formulate future cloud security strategies, they should pay special attention to the ability to secure other cloud environments, he said.

As organizations moved from standardizing one cloud services to a few (Amazon Web Services, Microsoft Azure, or Google Cloud Platform) in the past few years, further expansion to other cloud services looks to be on the horizon.