Bitglass released a report which uncovers whether organizations are properly equipped to defend themselves in the cloud. IT and security professionals were surveyed to understand their top security concerns and identify the actions that enterprises are taking to protect data in the cloud.
Orgs struggling to use cloud-based resources safely
93% of respondents were moderately to extremely concerned about the security of the public cloud. The report’s findings suggest that organizations are struggling to use cloud-based resources safely. For example, a mere 31% of organizations use cloud DLP, despite 66% citing data leakage as their top cloud security concern.
Similarly, organizations are unable to maintain visibility into file downloads (45%), file uploads (50%), DLP policy violations (50%), and external sharing (55%) in the cloud.
Many still using legacy tools
The report also found that many still try to use tools like firewalls (44%), network encryption (36%), and network monitoring (26%) to secure the use of the cloud–despite 82% of respondents recognizing that such legacy tools are poorly suited to do so and that they should instead use security capabilities designed for the cloud.
“To address modern cloud security needs, organizations should leverage multi-faceted security platforms that are capable of providing comprehensive and consistent security for any interaction between any device, app, web destination, on-premises resource, or infrastructure,” said Anurag Kahol, CTO at Bitglass.
“According to our research, 79% of organizations already believe it would be helpful to have such a consolidated security platform; now they just need to choose and implement the right one.”
Businesses increasingly embrace the moving of multiple applications to the cloud using containers and utilize Kubernetes for orchestration, according to Zettaset.
However, findings also confirm that organizations are inadequately securing the data stored in these new cloud-native environments and continue to leverage existing legacy security technology as a solution.
Businesses are faced with significant IT-related challenges as they strive to keep up with the demands of digital transformation. Now more than ever to maintain a competitive edge, companies are rapidly developing and deploying new applications.
Companies must invest in high performance data protection
The adoption of containers, microservices and Kubernetes for orchestration play a significant role in these digital acceleration efforts. And yet, while many companies are eager to adopt these new cloud-native technologies, research shows that companies are not accurately weighing the benefits of enterprise IT innovation with inherent security risks.
“Our goal with this research was to determine whether enterprise organizations who are actively transitioning from DevOps to DevSecOps are investing in proper security and data protection technology. And while findings confirm that companies are in fact making the strategic decision to shift towards cloud-native environments, they are currently ill-equipped to secure their company’s most critical asset: data.
“Companies must invest in high performance data protection so as it to secure critical information in real-time across any architecture.”
- Organizations are embracing the cloud and cloud-native technologies: 39% of respondents have multiple production applications deployed on Kubernetes. But, companies are still struggling with the complexities associated with these environments and how to secure deployments.
- Cloud providers offer considerable influence with regards to Kubernetes distribution: A little over half of those surveyed are using open source Kubernetes available through the Cloud Native Computing Foundation (CNCF). And 34.7% of respondents are using a Kubernetes offering managed by an existing cloud provider such as AWS, Google, Azure, and IBM.
- Kubernetes security best practices have yet to be identified: 60.1% of respondents believe there is a lack of proper education and awareness of the proper ways to mitigate risk associated with storing data in cloud-native environments. And 43.2% are confident that multiple vulnerable attack surfaces are created with the introduction of Kubernetes.
- Companies have yet to evolve their existing security strategies: Almost half of respondents (46.5%) are using traditional data encryption tools to protect their data stored in Kubernetes clusters. Over 20% are finding that these traditional tools are not performing as desired.
“The results of our research substantiate the notion that enterprise organizations are moving forward with cloud-native technologies such as containers and Kubernetes. What we were most interested in discovering was how these companies are approaching security,” said Charles Kolodgy, security strategist and author of the report.
“Companies overall are concerned about the wide range of potential attack surfaces. They are applying legacy solutions but those are not designed to handle today’s ever-evolving threat landscape, especially as data is being moved off-premise to cloud-based environments.
“To stay ahead of what’s to come, companies must look to solutions purposely built to operate in a Kubernetes environment.”
The majority of UK businesses using Oracle E-Business Suite (EBS) are running on old versions of the business critical ERP system, according to a Claremont study.
Of the 154 IT professionals polled, 64% revealed they are running on an earlier version that the current R12.2. With Oracle cutting off premier support to EBS 12.1 in December 2021, this leaves these businesses facing potential legislative and security issues if they fail to upgrade prior to the deadline.
58% of the businesses polled claimed they did intend on making the upgrade to R12.2.
“Businesses intent on upgrading to EBS R12.2 face a race against the clock in order to get it done in time. There is now just 14 months until the deadline, and while that may seem like a long time, given that the survey indicates almost two-thirds of businesses are currently looking to upgrade, there is likely to be resource scarcity in the marketplace. With upgrades taking 6-12 months to complete, vendor selections to be made and business cases to be raised, now is the time to act,” said Mark Vivian, CEO at Claremont.
The study also revealed that the majority of EBS users are currently hosting EBS on physical servers. 69% said they were still using physical servers, compared to just 31% hosting EBS on a cloud platform. 60% of businesses claimed they had no intention of migrating to the cloud, while 26% said they were planning a migration, and just 14% said their migration was underway.
The survey also revealed the reasons why those businesses using cloud platforms to host EBS had chosen their cloud provider. 53% of businesses cited price as the main reason they had chosen their cloud provider, while 40% cited greater agility and flexibility, and just 36% cited better support from the cloud vendor.
Mark Vivian added: “It’s surprising to see that so many businesses are still running Oracle E-Business on physical servers. Moving to cloud infrastructure means a shift towards greater agility, crucial for organisations to survive and thrive in response to the accelerating pace of change in today’s marketplace.”
Remote work has left many organizations lagging in productivity and revenue due to remote access solutions. 19% of IT leaders surveyed said they often or always experience network performance and latency issues when using legacy remote access solutions, with an additional 43% saying they sometimes do.
Those issues have resulted in a loss of productivity for 68% of respondents and a loss of revenue for 43%, a Perimeter 81 report reveals.
According to the report, organizations securely connect to internal networks in a variety of ways when working remotely. Some 66% reported using VPNs, 58% said they use a cloud service through a web browser, 48% rely on a remote access solution, and 34% use a firewall.
The many organizations still using legacy solutions like VPNs and firewalls will struggle to scale, face bottlenecks, and lack network visibility.
security solutions and remote work
33% of respondents said a password is the only way they authenticate themselves to gain access to systems. And while 62% of IT managers said they are using cloud-based security solutions to secure remote access, 49% said they’re still using a firewall, and 41% a hardware VPN.
But there are signs of progress, as organizations increasingly favor modern cloud-based solutions over outdated legacy solutions. Following the pandemic and a switch to remote work, 72% of respondents said they’re very or completely likely to increase adoption of cloud-based security solutions, 38% higher than before the pandemic.
“It’s no surprise that companies are increasingly moving to cloud-based cyber and network security platforms. As corporations of all sizes rely on the cloud to run their businesses, they need new ways of consuming security to effectively prevent cyberattacks regardless of their location or network environment.”
Other key findings
- 74% of respondents are adopting cloud-based security solutions over hardware due to security concerns. 44% are doing so due to scalability concerns, and 43% cited time-saving considerations.
- 61% of organizations believe that having to protect new devices is the greatest security concern in light of remote work, while 56% said their greatest concern was lack of visibility into remote user activity.
- 39% of respondents reported that scalability is their greatest challenge in securing the remote workforce, while 38% said budget allocation was their greatest challenge.
Sitting in the midst of an unstable economy, a continued public health emergency, and facing an uptick in successful cyber attacks, CISOs find themselves needing to enhance their cybersecurity posture while remaining within increasingly scrutinized budgets.
Senior leadership recognizes the value of cybersecurity but understanding how to best allocate financial resources poses an issue for IT professionals and executive teams. As part of justifying a 2021 cybersecurity budget, CISOs need to focus on quick wins, cost-effective SaaS solutions, and effective ROI predictions.
Finding the “quick wins” for your 2021 cybersecurity budget
Cybersecurity, particularly with organizations suffering from technology debt, can be time-consuming. Legacy technologies, including internally designed tools, create security challenges for organizations of all sizes.
The first step to determining the “quick wins” for 2021 lies in reviewing the current IT stack for areas that have become too costly to support. For example, as workforce members moved off-premises during the current public health crisis, many organizations found that their technology debt made this shift difficult. With workers no longer accessing resources from inside the organization’s network, organizations with rigid technology stacks struggled to pivot their work models.
Going forward, remote work appears to be one way through the current health and economic crises. Even major technology leaders who traditionally relied on in-person workforces have moved to remote models through mid-2021, with Salesforce the most recent to announce this decision.
Looking for gaps in security, therefore, should be the first step in any budget analysis. As part of this gap analysis, CISOs can look in the following areas:
- VPN and data encryption
- Data and user access
- Cloud infrastructure security
Each of these areas can provide quick wins if done correctly because as organizations accelerate their digital transformation strategies to match these new workplace situations, they can now leverage cloud-native security solutions.
Adopting SaaS security solutions for accelerating security and year-over-year value
The SaaS-delivered security solution market exploded over the last five to ten years. As organizations moved their mission-critical business operations to the cloud, cybercriminals focused their activities on these resources.
Interestingly, a CNBC article from July 14, 2020 noted that for the first half of 2020, the number of reported data breaches dropped by 33%. Meanwhile, another CNBC article from July 29, 2020 notes that during the first quarter, large scale data breaches increased by 273% compared to the same time period in 2019. Although the data appears conflicting, the Identity Theft Research Center research that informed the July 14th article specifically notes, “This is not expected to be a long-term trend as threat actors are likely to return to more traditional attack patterns to replace and update identity information needed to commit future identity and financial crimes.” In short, rapidly closing security gaps as part of a 2021 cybersecurity budget plan needs to include the fast wins that SaaS-delivered solutions provide.
SaaS security solutions offer two distinct budget wins for CISOs. First, they offer rapid integration into the organization’s IT stack. In some cases, CISOs can get a SaaS tool deployed within a few weeks, in other cases within a few months. Deployment time depends on the complexity of the problem being solved, the type of integrations necessary, and the enterprise’s size. However, in the same way that agile organizations leverage cloud-based business applications, security teams can leverage rapid deployment of cloud-based security solutions.
The second value that SaaS security solutions offer is YoY savings. Subscription models offer budget conscious organizations several distinct value propositions. First, the organization can reduce hardware maintenance costs, including operational costs, upgrade costs, software costs, and servicing costs. Second, SaaS solutions often enable companies to focus on their highest risk assets and then increase their usage in the future. Third, they allow organizations to pivot more effectively because the reduced up-front capital outlay reduces the commitment to the project.
Applying a dollar value to these during the budget justification process might feel difficult, but the right key performance indicators (KPIs) can help establish baseline cost savings estimates.
Choosing the KPIs for effective ROI predictions
During an economic downturn, justifying the cybersecurity budget requests might be increasingly difficult. Most cybersecurity ROI predictions rely on risk evaluations and applying probability of a data breach to projected cost of a data breach. As organizations look to reduce costs to maintain financially viable, a “what if” approach may not be as appealing.
However, as part of budgeting, CISOs can look to several value propositions to bolster their spending. Cybersecurity initiatives focus on leveraging resources effectively so that they can ensure the most streamlined process possible while maintaining a robust security program. Aligning purchase KPIs with specific reduced operational costs can help gain buy-in for the solution.
A quick hypothetical can walk through the overarching value of SaaS-based security spending. Continuous monitoring for external facing vulnerabilities is time-consuming and often incorporates inefficiency. Hypothetical numbers based on research indicate:
A poll of C-level security executives noted that 37% said they received more than 10,000 alerts each month with 52% of those alerts identified as false positives.
- The average security analyst spends ten minutes responding to a single alert.
- The average security analyst makes approximately $91,000 per year.
Bringing this data together shows the value of SaaS-based solutions that reduce the number of false positives:
- Every month enterprise security analysts spend 10 minutes for each of the 5,2000 false positives.
- This equates to approximately 866 hours.
- 866 hours, assuming a 40-hour week, is 21.65 weeks.
- Assuming 4 weeks per month, the enterprise needs at least 5 security analysts to manage false positive responses.
- These 5 security analysts cost a total of $455,000 per year in salary, not including bonuses and other benefits.
Although CISOs may not want to reduce their number of team members, they may not want to add additional ones, or they may be seeking to optimize the team they have. Tracking KPIs such reduction in false positives per month can provide the type of long-term cost value necessary for other senior executives and the board of directors.
Securing a 2021 cybersecurity budget
While the number of attacks may have stalled during 2020, cybercriminals have not stopped targeting enterprise data. Phishing attacks and malware attacks have moved away from the enterprise network level and now look to infiltrate end-user devices. As organizations continue to pivot their operating models, they need to look for cost-effective ways to secure their sensitive resources and data. However, budget constrictions arising from 2020’s economic instability may make it difficult for CISOs to gain the requisite dollars to continue to apply best security practices.
As organizations start looking toward their 2021 roadmap, CISOs will increasingly need to be specific about not only the costs associated with purchases but also the cost savings that those purchases provide from both data incident risk and operational cost perspective.
There has been a massive 430% surge in next generation cyber attacks aimed at actively infiltrating open source software supply chains, Sonatype has found.
Rise of next-gen software supply chain attacks
According to the report, 929 next generation software supply chain attacks were recorded from July 2019 through May 2020. By comparison 216 such attacks were recorded in the four years between February 2015 and June 2019.
The difference between “next generation” and “legacy” software supply chain attacks is simple but important: next generation attacks like Octopus Scanner and electron-native-notify are strategic and involve bad actors intentionally targeting and surreptitiously compromising “upstream” open source projects so they can subsequently exploit vulnerabilities when they inevitably flow “downstream” into the wild.
Conversely, legacy software supply chain attacks like Equifax are tactical and involve bad actors waiting for new zero day vulnerabilities to be publicly disclosed and then racing to take advantage in the wild before others can remediate.
“Our research shows that commercial engineering teams are getting faster in their ability to respond to new zero day vulnerabilities. Therefore, it should come as no surprise that next generation supply chain attacks have increased 430% as adversaries are shifting their activities ‘upstream’ where they can infect a single open source component that has the potential to be distributed ‘downstream” where it can be strategically and covertly exploited.”
Speed remains critical when responding to legacy software supply chain attacks
According to the report, enterprise software development teams differ in their response times to vulnerabilities in open source software components:
- 47% of organizations became aware of new open source vulnerabilities after a week, and
- 51% of organizations took more than a week to remediate the open source vulnerabilities
The researchers discovered that not all organizations prioritize improved risk management practices at the expense of developer productivity. This year’s report reveals that high performing development teams are 26x faster at detecting and remediating open source vulnerabilities, and deploy changes to code 15x more frequently than their peers.
High performers are also:
- 59% more likely to be using automated software composition analysis (SCA) to detect and remediate known vulnerable OSS components across the SDLC
- 51% more likely to centrally maintain a software bill of materials (SBOMs) for applications
- 4.9x more likely to successfully update dependencies and fix vulnerabilities without breakage
- 33x more likely to be confident that OSS dependencies are secure (i.e., no known vulnerabilities)
- 1.5 trillion component download requests projected in 2020 across all major open source ecosystems
- 10% of java OSS component downloads by developers had known security vulnerabilities
- 11% of open source components developers build into their applications are known vulnerable, with 38 vulnerabilities discovered on average
- 40% of npm packages contain dependencies with known vulnerabilities
- New open source zero-day vulnerabilities are exploited in the wild within 3 days of public disclosure
- The average enterprise sources code from 3,500 OSS projects including over 11,000 component releases.
“We found that high performers are able to simultaneously achieve security and productivity objectives,” said Gene Kim, DevOps researcher and author of The Unicorn Project. “It’s fantastic to gain a better understanding of the principles and practices of how this is achieved, as well as their measurable outcomes.”
“It was really exciting to find so much evidence that this much-discussed tradeoff between security and productivity is really a false dichotomy. With the right culture, workflow, and tools development teams can achieve great security and compliance outcomes together with class-leading productivity,” said Dr. Stephen Magill, Principal Scientist at Galois & CEO of MuseDev.
More than nine out of 10 of US enterprises in the Dow Jones, Fortune 250 and 500, and S&P 100 have run into cloud migration problems when it comes to moving legacy business applications to the cloud, with over three quarters holding applications back, Cloudhouse research has found.
Exploring cloud migration problems
Surveying senior IT decision-makers at 51 US enterprises, the research explored the challenges around cloud migration of legacy business applications.
The study found that 94% of enterprises run applications on legacy operating systems, while 65% identify cost and complexity as factors severely hampering migration plans. Nearly half (48%) fear being locked into a single cloud provider, while 43% hold back from migration because they fear it will put business-critical legacy applications at risk.
While every respondent bar two viewed application migration as important to digital transformation, only 10% have actually completed their digital transformation strategies and just 8% see containerisation as a solution to the incompatibility between legacy applications and cloud systems.
“It’s very worrying that as the Windows end of life deadline looms on January 14, even the largest enterprises in the US seem increasingly paralysed about migrating legacy applications to the cloud,” said Mat Clothier, CEO, Cloudhouse.
“Unless they gain access to expertise and real understanding of cloud-migration technology, such as application compatibility packaging, they face escalating costs and severely impaired competitiveness.”
Lack of cloud market knowledge
Almost half of enterprises say they are hampered by lack of cloud market knowledge while 38% are holding back applications purely because of cost. Nearly a third (31%) lack expertise in migration.
“Major enterprises are neglecting the most effective and obvious solution to the significant problems of migrating legacy applications to the cloud – application compatibility packaging,” said Clothier.
“Incompatible applications can be packaged and migrated without the need to refactor, recode, upgrade and with no impact on the end-user experience. This eradicates extended support charges and keeps applications evergreen.”