Dealing with cloud security shortfalls

72% of IT leaders believe their companies moved to the cloud without properly understanding the skills, maturity curve, and complexities of making it all work securely, according to a recent CloudBolt Software report.

The results of the study should be concerning to enterprises:

• 68% said their organization’s security skill set across all clouds was only “somewhat mature.”
• Only 8% of respondents confirmed they had implemented highly operationalized cloud security practices when spinning up new compute resources and environments; 83% say that they have “somewhat” done so.
• Only 6% of respondents say that their companies automatically build security into every workload up front; 51% say they do it “sometimes.”

“Several years ago in cybersecurity, companies realized that the single greatest threat vector was the individual end user. So, the focus shifted from perimeter and end-point security to automatically applying security at the user level,” said Jeff Kukowski, CEO of CloudBolt.

“I think this new report reveals a similar parallel in cloud security. Macro solutions that don’t make cloud security automatic at the individual, cloud-provisioning ‘moment of truth’ create lots of opportunity for exposure and leave enterprises only ‘somewhat, sometimes’ secure. I predict 2023 will be the year we see significantly more focus on shoring up these current cloud security shortfalls. It’s a very solvable problem when you apply the right approaches,” Kukowski continued.

Respondents primarily attributed shortfalls in cloud security at the user level to a growing multi-cloud skills gap and over-reliance on cloud-native security and monitoring tools.

The multi-cloud skills gap

As revealed in a previous CII study, there simply aren’t enough people with the necessary skills across all major cloud platforms to effectively address the biggest cloud challenges – including security.

This latest CII report further validates these findings:

• 56% of respondents cited “depth of native cloud skill sets/expertise” as a top security concern.
• 29% pointed to a “lack of talent with deep security expertise” as an issue.

Organizations rely heavily on cloud-native security tools

Companies say they are largely utilizing the security tools each public cloud provider offers:

• 74% said they rely on these tools to provide “adequate security.”
• 84% indicated that simply using a monitoring tool was the best way to deal with cloud security.
• 64% believe they can solve their cloud security concerns by embracing HashiCorp’s Terraform.

However, each is fraught with limitations that create the “somewhat, sometimes” security issues at the user level.

“People want to believe the cloud-native tools they use will simply take care of security for them,” said Kukowski.

“But in a multi-cloud world, the unique nuances of settings and required knowledge between each major cloud create plenty of opportunities for errors, omissions, and mistakes by individuals. And monitoring tools alone cannot provide proactive and automatically applied guardrails. Companies appear to have been lulled into a false sense of security. The reality is that proper security processes, protocols and best practices must be built into cloud workloads up front to prevent missteps from happening in the first place. Not somewhat or sometimes – fully and all the time,” Kukowski concluded.

The CloudBolt Software report is based on a global survey of 350 IT leaders primarily VP+ from enterprises with 5,000 or more employees, executed by the Gartner-owned Pulse research platform.