Data breaches due to cloud misconfigurations are increasingly making news headlines. And with the accelerating pace of cloud innovation, developer mishaps are bound to happen.
While there is no easy solution to this problem, understanding why companies failed to fix misconfigurations that led to breaches can help your security team plan their management of cloud risk better.
In a joint research survey by VMware and Cloud Security Alliance, 17% of companies reported a cloud security breach due to a misconfiguration in the past year. The research highlights lack of cloud security knowledge, team alignment, risk visibility and speed as the four primary challenges that stand in the way of teams trying to operationalize cloud security.
1) Cloud Knowledge Gap
When asked why the misconfiguration that led to the breach could not be resolved, 59% reported limited cloud knowledge as the second most critical challenge to cloud security.
In most companies, the burden of training the whole organization on security best practices falls on central IT teams. But with over half a million cybersecurity jobs unfulfilled in the country, finding experienced staff knowledgeable in cloud security is not easy.
Today, most organizations are in a tricky spot, where sometimes a single security architect is seen enabling hundreds of developers and other IT personnel in the company. The scarcity of cloud security experts can cascade security concerns across the company.
As a cybersecurity leader in charge of the cloud strategy, one way to help your teams learn and scale is to let them invest in specialized cloud posture management solutions that automate security and compliance benchmarks across the company’s cloud footprint.
2) Unaligned Teams
Improving cloud security governance across a company requires the participation of disparate teams, each with slightly varying security or compliance objectives. The primary goal for each one of these teams, whether in IT security or operations, is to help developers follow cloud best practices.
Almost half (49%) of survey respondents indicated that their Information Security, IT Operations, and DevOps teams are not aligned on cloud security policies. Even worse, in 70% of companies, these teams lack basic alignment on policy enforcement strategies.
Failure to align on a unified governance strategy is a security or compliance risk and overwhelming for developers trying to balance release velocity with various governance priorities.
To help different teams align, you should consider building a centralized Cloud Center of Excellence or a cross-functional team that supports and governs the execution of your cloud strategy within your company. A common forum to strategize and debate can help your teams build trust and agree on security standards and how they should be implemented.
3) Poor Risk Visibility
The most critical challenge: 63% of respondents reported that lack of visibility into misconfiguration vulnerabilities is the primary reason their company could not prevent the cloud security breach. This is especially interesting because 91% of respondents also reported that their companies are currently using a solution to detect and remediate misconfiguration risks.
Then why is identifying misconfigurations so challenging? With cloud providers owning some aspects of cloud security, your security teams are often confused about their own share of security responsibilities as cloud customers.
But within their share, teams need both breadth and depth of risk visibility. This means having the ability to monitor every single cloud provider, account, and service with appropriate security policies. It requires having deep insight into various cloud resources, configuration dependencies, and the numerous paths a hacker can traverse to access data or take control of your cloud environment.
Such comprehensive security support, context and intelligence are usually found lacking in established solutions in the industry. So even if your team has a solution to monitor the cloud, ask again, do they have good risk visibility?
4) Slow Security Processes
It’s well established that criminals can quickly identify and start probing your internet-facing cloud assets within minutes. So, the speed at which your team can identify and fix a misconfiguration is critical in determining its success in avoiding a cloud security breach.
Unfortunately, the survey found that cloud security processes at most companies are lagging. Close to half (44%) of respondents reported that it takes them more than a day to detect a misconfiguration mistake, and even worse, 63% say it takes longer than a day to remediate that risk.
This shows that shifting security left isn’t easy. Building guardrails and enabling developers to fix misconfigurations before code moves to production should be a key priority for your team. But no shift-left security implementation is bulletproof, and nor is it feasible for your developers to proactively catch all mistakes. Complementing your DevSecOps approach with an over-the-top real-time security monitoring solution is essential for effectively managing cloud risk.
Nikhil Girdhar Head of Product Marketing, VMware