EMA on Securing Cloud Assets

Where are you on the path to better cloud security practices? According to new research from Enterprise Management Associates (EMA), your answer to that question likely depends on three key factors: who's responsible for cloud security, how they choose to approach it, and what tools they're using.

Sounds simple enough, but the reality is that services such as IaaS, PaaS, and SaaS have their own unique challenges and best practices. And since many organizations use a mix of two or more of those services, security teams are struggling to adapt and understand the requirements of each. Add in faster CI/CD pipelines and the historical friction between security teams and developers, and the complexity of cloud security grows.

In Securing Cloud Assets: How IT Security Pros Grade Their Own Progress, EMA goes straight to the source by surveying more than two hundred IT executives and contributors to get a better understanding of the current cloud security landscape. The self-assessment asked respondents to share their top security concerns, familiarity with different tooling categories, and approaches to protecting cloud and hybrid environments. Here's what EMA found.

Different Sizes, Different Concerns

When it comes to top cloud security concerns, the size of the enterprise matters. And while no single category of cloud security risk garnered a majority of respondents, clear leaders among threats emerged.

Organizations with fewer than a thousand employees are most concerned with data exposure due to misconfiguration followed by data exfiltration by malicious outsiders. For enterprises with up to five thousand employees, those primary concerns center around misconfiguration and account hijacking, respectively.

Large enterprises with more than five thousand employees are most concerned with malicious outsiders exfiltrating data, followed closely by a lack of cloud security architecture and strategy. While the top concern shouldn't surprise anyone given the headline-grabbing breaches we've seen over the past few years, questions about cloud architecture and security strategy suggests that "some large enterprises are further along in their journey to secure cloud assets than others."

Who's Securing the Cloud and How?

The team that takes the lead in managing cloud-based assets depends on the organization. Less than half of respondents (46%) leave it in the hands of their IT security team. More than a quarter (28%) indicated that a separate cloud operations group was responsible, and 9% said their network operations teams handle those duties.

EMA also found that organizations of all sizes generally take one of four primary approaches to cloud security engagement. A little more than 50% of respondents use a central infrastructure team that provides an orchestration layer for developers to get to cloud infrastructure. The next most common approach, at 23%, involves decentralized DevSecOps with developer-dominated teams that include embedded security engineers. Organizations leveraging a corporate cloud orchestration platform with independent control plane validation and security team-owned cloud security posture management is the third most popular approach. Coming it fourth are ad hoc, developer-led groups using cloud provider recommendations and/or default security configurations.

Given the differences in who manages cloud assets, as well as the varied approaches organizations use to secure them, it's important to understand how well security teams and developers collaborate. While more than one quarter of all respondents (28%) said the relationship between security and developers is extremely collaborative, roughly the same percentage admitted that collaboration is an issue.

The Tools of the Trade

Regardless of organization size, a survey-leading 35% of respondents said they're adopting newer best-of-breed, cloud-native controls to protect cloud apps and workloads, while 30% use hybrid controls that span both internal data centers and those of cloud providers. Only 20% of respondents are applying existing on-premises controls to cloud-based applications and workloads, which is great news considering the well-documented difficulties in transitioning those controls to the cloud.

EMA's research also digs into the cloud-focused security tooling organizations use. More than half of all respondents leverage one or more of the following types of tools, listed in descending order: cloud data security software, cloud security monitoring and analytics, API security software, and cloud detection and response. Less than half of respondents said they use cloud access security brokers (CASBs), cloud security posture management (CSPM), or cloud workload protection platforms (CWPPs).

Network Detection and Response in the Cloud

When it comes to cloud-native network detection and response (NDR), 80% of respondents said they're aware that the technology can be applied to cloud traffic. Among that group, 48% see NDR's primary value as the ability to detect threats and anomalies in real time, while 21% said NDR shows its value by facilitating response actions such as investigation and mitigation.

Fewer respondents (14%) listed the ability to monitor network traffic in hybrid environments as a primary value of NDR, which is somewhat surprising given just how many organizations use on-premises and cloud deployments. Even more surprising, only 9% of survey takers said packet-level visibility into east-west traffic was a primary value of NDR. East-west visibility is an essential component of NDR because most advanced attacks, especially recent supply chain attacks such as SolarWinds, rely on lateral movement in that traffic corridor to access target assets.

Given the relative ease of deploying cloud-based applications and the security vulnerabilities that shadow IT creates, packet-level visibility across hybrid and multicloud environments is essential for up-to-date asset inventory, real-time threat detection, and forensic-level investigation in a post-compromise world.

To see the value of complete visibility, real-time detection, and intelligence response capabilities for yourself, start the fully functional ExtraHop online demo. You can also start a Reveal(x) 360 free trial to see how cloud-native NDR works in your specific environment.