Leading Cloud Native Security Challenges According to New ESG Survey
A new Cloud Native Security survey from Enterprise Strategy Group (ESG) shows that while container adoption has grown appreciably over the last two years, organizations are experiencing security program maturity gaps. While the use of cloud-native technologies like Kubernetes offers flexibility, survey respondents indicate that they are also introducing complexity. According to the report, nearly half of all respondents say that maintaining security consistency across their own data center and public cloud environments where their cloud-native applications are deployed is their top cloud-native application security challenge.
This makes sense: in order to implement centralized policies, they need to be created in the context of the application and the infrastructure they’re being created for. To get started, organizations need to be able to conduct threat modeling, which may be perceived as a tall order in a world where there is roughly 1 security professional for every 100 developers, and release cycles are faster than ever before.
Despite the challenges, 88 percent of those surveyed agree that their cybersecurity program needs to evolve to secure their cloud native applications and use of public cloud infrastructure. And it’s a good thing they do – it bears repeating that in the last three years alone, more than 30 billion records have been exposed in the cloud. Attacks have become more sophisticated, and are increasingly targeting the supply chain to distribute malware under the guise of trusted vendors and gain control of end user systems.
Cloud Native Security Issues Resulting From Identity and Access Management
According to ESG’s findings, the diversity of the threat landscape is often most evident with cloud native applications and infrastructure, with only 12 percent of organizations having experienced no cyber incidents targeting their cloud-native apps or infrastructure over the past year. The report suggests that this highlights the need for “an integrated defense-in-depth approach. Such controls will enable a focus on hardened configurations, automation, segmentation, and the monitoring of accounts and services.”
The recent Accurics Cloud Cyber Resilience Report shows that Identity and Access Management (IAM) has emerged as a new threat vector, and it was the first time that we saw IAM defined through Infrastructure as Code (IaC) in production environments. With some organizations having roles in the thousands or tens of thousands, it isn’t feasible to manage them all manually.
We discovered that more than a third (35.3 percent) of the IAM drifts detected in the report originated in IaC, indicating rapid adoption of IAM as Code. This is particularly alarming when we consider that ESG survey respondents reported cloud misconfigurations resulting from the use of default passwords (30 percent), overly permissive user accounts (25 percent), and overly permissive service accounts (25 percent). Respondents also reported externally facing workloads subject to port scanning and unauthorized access to services via open ports.
The results? Survey respondents reported data compromises in the introduction of malware, including crypto miners and ransomware, as well as impact to SLAs, which indicates the need for IaC security automation. Over the last few years, several high-profile breaches, including SolarWinds and Twilio, have given us a taste of what’s possible when mal-intended parties have access to code or pipelines.
For Cloud Native Security, Embrace Shift Left and DevSecOps Automation
As organizations seek to evolve their cybersecurity programs to strengthen their security posture around cloud applications, they’re embracing a shift-left approach and DevSecOps automation. Although the need to ensure that policy guardrails are in place across the software development life cycle is already of the utmost importance, the adoption of GitOps puts a finer point on that need. Developers are increasingly leveraging technologies such as Helm and Kustomize to automate the build and deployment process, which requires a programmatic approach to cloud security.
It’s no longer sufficient to only scan for IaC misconfigurations at runtime. Organizations need developer-first security solutions that are compatible with their workflows, increase independence, and deliver easily consumable code fixes rather than just identifying problems. Cyber resilience requires a fundamentally new approach that self-heals the cloud throughout the development lifecycle.
Download The Maturation of Cloud-native Security: Securing Modern Applications and Infrastructure to dive deeper into the results from Enterprise Strategy Group’s survey. ESG surveyed 383 IT and cybersecurity professionals in North America who are personally responsible for evaluating or purchasing cloud security technology products and services.