The vast majority of organizations have suffered at least one cloud-related cybersecurity incident in the last 12 months, a new report from Venafi has claimed.
It found that rising complexity, and the lack of clarity over whose responsibility cloud security really is, are two major contributors to these incidents.
According to Venafi, 81% of firms experienced at least one such incident in the last year. Almost half (45%) suffered as many as four incidents.
Security and operational risks
Most of the time, they experience security incidents during runtime (34%), unauthorized access (33%), misconfigurations (32%), major vulnerabilities that haven’t been patched (24%), or failed audits (19%).
At the same time, only unauthorized access made it to the top five list of the biggest operational and security concerns security decision-makers are having. There are also account, services, and traffic hacks (35%), malware and ransomware (31%), privacy issues (31%), and nation-state attacks (26%).
“Attackers are now on board with business’ shift to cloud computing,” says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “The ripest target of attack in the cloud is identity management, especially machine identities. Each of these cloud services, containers, Kubernetes clusters and microservices needs an authenticated machine identity – such as a TLS certificate – to communicate securely. If any of these identities is compromised or misconfigured, it dramatically increases security and operational risks.”
The study has also shown how businesses don’t really know whose responsibility cloud security really is. Enterprise security teams (25%) are the most likely ones to manage app security in the cloud, right before operations teams (23%). For almost a quarter (22%) it should be a collaborative effort shared between multiple teams, while 16% think it should be the responsibility of developers writing cloud applications.
Venafi seems to hint that shared responsibility models shouldn’t be adopted, as “security teams and development teams have very different goals and objectives”. While developers need to move fast, it creates visibility issues for security teams. “Without this visibility, security teams cannot evaluate how those controls stack up against security and governance policies,” the report states.
Organizations studied for the report currently host (opens in new tab) 41% of their applications in the cloud and expect the number to rise to 57% in the next year and a half.