To accommodate remote work policies amid COVID-19, companies have increasingly adopted the public cloud to support off-site business continuity. A MarketsandMarkets analysis found that due to the impact of the current crisis, the cloud market is expected to grow from $233 billion in 2019 to $295 billion by 2021.
The transition to remote work by organizations across the globe is not temporary. Companies are realizing that employees are just as productive working from home or other remote locations through cloud applications and services as they are in a traditional office environment. As more and more organizations accept nontraditional and flexible work models and accelerate their adoption of cloud services, there will be a constant signal-to-noise ratio, and the likelihood for mistakes will rise.
Teams are working faster than ever to deploy new features and services to keep up with today’s digital demands. Thus, companies must empower security and devops teams to work together to proactively prevent mistakes from turning into devastating data breaches. However, this is no easy task. Even though operating in the cloud offers many advantages to developers, security is often seen as an obstacle that prevents developers from truly embracing the speed and agility of the cloud.
In fact, nearly half of developers and engineers bypass cloud security and compliance policies. This is an incredibly reckless and costly practice given that cloud misconfigurations cost companies nearly $5 trillion from 2018-2019 alone.
This dynamic is changed by shifting cloud security left. Below, I dive deeper into why this shift is so critical and how to achieve a shift-left approach in your organization.
Overcoming DevOps challenges to secure the cloud
It is important to understand what makes DevOps central to the cloud security lifecycle. Considering the self-service and automated world of cloud services, the success or failure of cloud security is ultimately in the hands of the developer. However, when organizations rely solely on runtime cloud analysis, security and compliance are left outside looking in on the provisioning process. This creates many challenges for DevOps.
Since most runtime issues are generated by Infrastructure as Code (IaC) templates that contain the root cause of the issue at hand, developers are left to address the same core fault over and over again. This process is inefficient and not only results in productivity loss but also heightens tension between developers and security teams.
Additionally, DevOps teams are challenged by the rapid nature of change in the cloud. A new cloud service might be secure and compliant in isolation. Yet, when services are joined within broader environments, new security and compliance challenges are certain to arise.
Overall, ignoring the challenges experienced by DevOps teams and waiting to catch risks after provisioning puts the organization at immediate risk.
The drive to shifting security and compliance left
To address these DevOps challenges, organizations need to shift security and compliance left. Integrating security directly into the build process proactively prevents misconfigurations and policy violations from occurring and delivers better experiences to developers.
By directly integrating security and compliance into the CI/CD pipeline, an organization can now take the appropriate preventive steps to remediate misconfigurations, noncompliance, and security risks before it is too late. The opportunity for exploitation is drastically eliminated by this shift.
What’s more, when cloud security is implemented throughout CI/CD, the developer’s experience improves because all issues are surfaced at the right time and the right pipeline step. Developers are empowered to solve cloud security issues the first time, which drastically improves their efficiency and efficacy, allowing them to focus on the bigger picture rather than solving the same issues over and over.
Increased productivity and empowered security and development teams create a sense of shared ownership and responsibility. Developers now are much more likely to participate in the cloud security process. This continuous cycle benefits the developer, the security professional, and the organization at large.
Shifting left with IaC
Organizations can successfully make this transition and shift left by evaluating IaC templates for the same security issues that are currently evaluated at runtime, before a build.
IaC is the driver for moving toward a preventive cloud security strategy. Incorporating the right tools and providing integrated security guidance directly into the development lifecycle provides developers with the necessary recommendations needed to respond to problems immediately. Security teams are able to arm developers with IaC templates that will guide the delivery of secure and compliant cloud environments from the very start.
Staying ahead by taking a step back
Not only has COVID-19 accelerated the shift to remote workforces, it has also accelerated the digital transformation of many companies, including the adoption of cloud. Without taking a full lifecycle approach to cloud security (e.g., combining preventive and reactive), organizations cannot scale in the cloud securely.
Shifting left is imperative to reducing risk in the cloud and creating a sense of ownership and shared responsibility between security and DevOps teams. This is especially critical considering that cloud misconfigurations can cause massive breaches.
This shift is a requirement for all organizations seeking to use cloud services to achieve innovation without the loss of control, and fortunately, with advanced security tools available on the market today, it’s never been easier.
Most enterprises (85%) believe embracing the public cloud is critical to fuel innovation, but the majority are not equipped to operate in the cloud securely, according to a DivvyCloud survey of nearly 2,000 IT professionals.
In fact, of those surveyed whose organization has already adopted public cloud, only 40% have in place an approach to managing cloud and container security.
Avoiding security issues in the cloud
Only a little over half (58%) said their organization has clear guidelines and policies in place for developers building applications and operating in the public cloud. And of those, 25% said these policies are not enforced, while 17% confirmed their organization lacks clear guidelines entirely.
“Enterprises believe they must choose between innovation and security—a false choice we see manifested in the results of this report, as well as in conversations with our customers and prospects,” said Brian Johnson, CEO at DivvyCloud.
“Only 35% of respondents do not believe security impedes developers’ self-service access to best-in-class cloud services to drive innovation—meaning 65% believe they must choose between giving developers self-service access to tools that fuel innovation and remaining secure.
“The truth is, security issues in the cloud can be avoided. By employing the necessary people, processes, and systems at the same time as cloud adoption (not weeks, months, or years later), enterprises can reap the benefits of the cloud while ensuring continuous security and compliance.”
Additional key findings
Automation is coveted but not leveraged in cloud security: Nearly 70% of all respondents believe that automation can provide benefits to their organization’s cloud security strategy, but only 48% say their cloud security strategy currently incorporates products that leverage automation.
The vast majority of respondents (85%) trust automated security solutions more than or the same as human security professionals.
Developers and security are misaligned: Almost half (49%) of all respondents whose organizations use public cloud said their developers and engineers at times ignore or circumvent cloud security and compliance policies.
Enterprises lack understanding of applicable regulations and standards: Out of all respondents, 42% do not know which frameworks their company uses to maintain compliance with relevant standards and regulations (such as GDPR, HIPAA, PCI DSS, SOC 2, etc.)
Infrastructure-as-a-Service (IaaS) reigns supreme: When asked about the architectures their organizations currently use or plan to use within the next year to build apps, 42% said IaaS; among larger organizations with 10,000 or more employees, that number goes up to 53%.
The cloud is ubiquitous: Only 7% of respondents work for organizations that do not use any public cloud services, and only 5% reported no plans to adopt public cloud—a significant drop from the 11% who reported no adoption plans last year.
Enterprise multicloud strategies are declining: 64% of this year’s survey respondents confirmed their organization is using two or more cloud services, a 13% decline from last year.
Nearly 33.4 billion records were exposed in breaches due to cloud misconfigurations in 2018 and 2019, amounting to nearly $5 trillion in costs to enterprises globally, according to DivvyCloud research.
Companies failing to adopt a holistic approach to security
Year over year from 2018 to 2019, the number of records exposed by cloud misconfigurations rose by 80%, as did the total cost to companies associated with those lost records. Unfortunately, experts expect this upward trend to persist, as companies continue to adopt cloud services rapidly but fail to implement proper cloud security measures.
“The rush to adopt cloud services has created new opportunities for attackers – and attackers are evolving faster than companies can protect themselves. The fact that we have seen a 42% increase from 2018 to 2019 in cloud-related breaches attributed to misconfiguration issues proves that attackers are leveraging the opportunity to exploit cloud environments that are not sufficiently hardened. This trend is expected to continue as more organizations move to the cloud,” Charles “C.J.” Spallitta, Chief Product Officer at eSentire, told Help Net Security.
“Additionally, common misconfiguration errors that occur in cloud components expand and advance the attacker workflow. Real-time threat monitoring in cloud assets is critical, given the unprecedented rate of scale and nature of cloud services. Organizations should seek-out security services that distill the noise from on-premise and cloud-based security tools while providing broad visibility to enable rapid response when threats are found,” Spallitta concluded.
Key report findings
- 81 breaches in 2018; 115 in 2019 – a 42% increase
- Tech companies had the most data breaches at 41%, followed by healthcare at 20%, and government at 10%; hospitality, finance, retail, education, and business services all came in at under 10% each
- 68% of the affected companies were founded prior to 2010, while only 6.6% were founded in 2015 or later
- 73 (nearly 42%) of known affected companies experienced a merger or acquisition (M&A) transaction between 2015 and 2019, which indicates cloud security is an area of risk for companies involved in merging disparate IT environments
- Elasticsearch misconfigurations accounted for 20% of all breaches, but these incidents accounted for 44% of all records exposed
- The number of breaches caused by Elasticsearch misconfigurations nearly tripled from 2018 to 2019
- S3 bucket misconfigurations accounted for 16% of all breaches, however, there were 45% fewer misconfigured S3 servers in 2019 compared to 2018
- MongoDB misconfigurations accounted for 12% of all incidents, and the number of misconfigured MongoDB instances nearly doubled YoY