As organizations accelerate their DevOps practices and move toward continuous delivery, cloud adoption plays a pivotal role. But visibility into cloud infrastructure and provider practices will remain a security Achilles heel until businesses can get better monitoring and insight into public cloud assets. According to a new survey out by the SANS Institute, even as the amount of sensitive data housed in public cloud infrastructure explodes, many organizations haven’t found a way to lick the visibility problem.
Sponsored by CloudPassage and conducted among nearly 500 IT professionals, the survey showed that both PaaS and IaaS are on a huge upswing. In the next 12 months organizations report that they will approximately double usage of both models. IaaS in particular shows the biggest growth among cloud usage models, as 29 percent of organizations report they’ll deploy IaaS for the first time in the next year. Among the major drivers for this growth, 61 percent of organizations said time to deployment was key, while 54 percent said they were moving to the cloud because they can’t scale their own solutions.
In those cloud deployments, well over half of organizations are processing or storing sensitive data in their public cloud environments or aren’t sure if they have sensitive data in the cloud. At least one in five organizations said they use the cloud to store or process intellectual property, customer financial information or health records. Meanwhile, 52 percent said they used the cloud to store and process business intelligence data, while 48 percent store or process employee records.
Visibility concerns trump all others when organizations related their problems with cloud adoption—nearly 60 percent reported having issues with a lack of visibility into service provider operations. Nearly half of organizations related they had issues getting proper incident response support from providers due to visibility issues. And 46 percent reported having issues with VM and workload visibility. While not quite as widespread as general visibility woes, a quarter of organizations reported that provider-introduced vulnerabilities resulted in a breach or incident. Unfortunately, organizations are more likely than not unable to test for these kind of issues proactively. Only about 24 percent of organizations work with providers that allow them to do penetration testing on their public cloud assets.
Diving deeper into this issue, one of the big problems is the inability for organizations to fold their cloud operations into overall security monitoring and management—37 percent of organizations reported there’s just a lack of consistent security controls that integrate with on-premises tools and security management.
“The biggest issue, which goes back to the problem of visibility into internal cloud provider operations, is the lack of access to log files and other forensic artifacts, experienced by 53% of respondents,” says the report’s author, Dave Shackleford. He recommends that as organizations evaluate their public cloud relationships, they consider controls like logging, multifactor authentication, encryption and compatibility with security products that work natively within that cloud infrastructure.
