Businesses rapidly transitioned to cloud services to accelerate their digital transformation the past few years. With cloud services providing flexibility and scalability, it was rare for businesses to settle for one cloud service. They would deploy multiple, making for a complex cloud environment.
A major downside to deploying multiple cloud services is the increase in cybersecurity complexity, and Venafi revealed in its recent research that 81% of organizations experienced a cloud-related security incident over past 12 months – almost half having least four incidents during the same time frame.
The main issue was, in fact, the increase in security and operational complexity connected with cloud deployments. That complexity will only continue to rise, too, as organizations plan to host more of their applications in the cloud.
More than half of security decision-makers believe security risks are higher in the cloud than on-premises, citing security incidents during runtime, unauthorized access and major vulnerabilities that are not remediated contributing to those risks.
The incidents raised the concern of malware or ransomware, privacy/data access issues and hijacking of accounts. Identities, more specifically machine identities, are ripe for the taking in attacks, according to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Each of these cloud services, containers, Kubernetes clusters and microservices needs an authenticated machine identity – such as a TLS certificate – to communicate securely,” said Bocek. “If any of these identities is compromised or misconfigured, it dramatically increases security and operational risks.”
Thinking on the increase in security and operational risks, with eight out of 10 organizations experiencing a security incident, the question is, who should actually be responsible for security? There is no clear-cut answer among business leaders. Some believe responsibility should be shared between cloud infrastructure operations teams and enterprise security teams, while others believe responsibility should be shared across multiple teams.
Shared responsibility is a risk in itself, however. Development teams, who are cloud experts, move at a rapid pace to accelerate innovation. As a result, security teams are blind in those operations and lack the ability to evaluate how those controls stack up against security and governance policies.
“Security teams want to collaborate and share responsibility with the developers who are cloud experts, but all too often they’re left out of cloud security decisions,” said Bocek. “We need to reset the approach to cloud security and create consistent, observable, controllable security services across clouds and applications.”
Bocek suggested that architecting in a control plane for machine identities is one example of a new security model created for cloud computing.
Security and operational complexity in the cloud will continue to rise, increasing security risks. If teams implement a strategy like the one Bocek suggested, security will be embedded into developer processes to allow security teams to protect the business without slowing down engineers.
Edited by Erik Linask