Enterprise Strategy Group Getting to the bigger truth. The Evolution of Cloud Security

Transcription

1 Enterprise Strategy Group Getting to the bigger truth. The Evolution of Cloud Security By Jon Oltsik, ESG Senior Principal Analyst May 2016

2 Contents 3. Executive Summary 4. Cloud Computing Momentum in the Enterprise 6. The State of Cloud Security 8. Cloud Security Challenges 10. Cloud Security Tactics and Strategies 13. The Bigger Truth All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at This ESG Research paper was commissioned by varmour and is distributed under license from ESG.

3 Executive Summary In early 2016, varmour commissioned the Enterprise Strategy Group (ESG) to conduct a research survey of 303 IT and cybersecurity professionals with knowledge of or responsibility for cloud security policies, processes, or technologies at enterprise organizations (i.e., more than 1,000 employees). Survey respondents were located in North America and came from companies ranging in size: 50% of survey respondents worked at organizations with 1,000 to 4,999 employees, 23% worked at organizations with 5,000 to 9,999 employees, 13% worked at organizations with 10,000 to 19,999 employees, and 14% worked at organizations with 20,000 or more employees. Respondents represented numerous industry and government segments with the largest participation coming from manufacturing (20%), retail/wholesale (16%), the financial services industry (15%), and business services (14%). For the purposes of this research project, ESG provided the following definitions to survey respondents: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. These infrastructure resources can be accessed and provisioned via on-premises cloud infrastructure management platforms (e.g., VMware vcloud, OpenStack, etc.) and/or third-party services (e.g., Amazon AWS, Microsoft Azure, etc.). Note that server virtualization technologies like VMware vsphere/esx, Microsoft Hyper-V, etc. on its own (i.e., without some type of cloud infrastructure management software) is NOT considered to be cloud computing. Server virtualization technology is defined as software that divides one physical server into multiple isolated virtual environments. This survey focuses specifically on x86 virtualization technologies, by which x86-based guest operating systems are run under another x86-based host operating system running on Intel or AMD hardware platforms. This research project was intended to assess the current practices and challenges associated with cloud computing security. Furthermore, respondents were asked about future strategic plans intended to improve the efficacy and efficiency of cloud security in the future. Based upon the data collected, this paper concludes: Enterprise organizations continue to embrace heterogeneous cloud computing options. Large organizations are using a wide variety of public and private cloud infrastructure to host a growing number of production workloads. ESG also sees increasing adoption of a wide range of heterogeneous cloud infrastructure and SDN technologies, including AWS, Azure, Cisco ACI, Google Cloud Platform (GCP), NSX, OpenStack, SoftLayers, and VMware vcloud. The heterogeneous nature of cloud computing introduces numerous management and security complexities. 3

4 Traditional security processes and controls can be a mismatch for cloud computing. CISOs often try to bridge the cloud security gap with traditional security processes and controls but survey respondents report weaknesses in status quo data, host-based, and network security technologies when they are applied to the cloud (i.e., physical firewall and IDS/IPS appliances, DLP gateways, switch- and router-based ACLs, Layer 2 VLANs based upon IEEE 802.1q, etc.). The same holds true with security monitoring, where cloud computing often leads to blind spots or data management issues (i.e., collecting the right data in a timely manner, normalizing different data formats, etc.) Little wonder then that 74% of organizations are replacing traditional security processes and choosing extensible, scalable, and independent security technologies designed for cloud computing. Cloud computing is driving a multitude of cybersecurity changes. Aside from traditional security process and technology replacement, enterprise organizations are changing security organizations, processes, and plans to accommodate cloud computing security requirements. This transition has already begun and will only gather additional momentum in the months and years to come. As for cloud computing security lessons learned, successful organizations are making organizational changes to improve collaboration between security, DevOps, and data center operations teams, instituting new security policies and processes to keep up with cloud agility, and adding new types of cloud-centric security technologies designed for extensibility, scalability, and support for multiple types of cloud infrastructure. Cloud Computing Momentum in the Enterprise Enterprise organizations are no longer simply experimenting with cloud computing. Rather, many large firms are embracing heterogeneous cloud computing in mixed environments and actively moving workloads to public and private clouds. For example, ESG research reveals that: 34% More than one-third (34%) of organizations have been using public and private cloud services for 3 years or more. As organizations gain additional cloud computing experience, it tends to accelerate their pace of cloud adoption. 57% More than half of enterprise organizations (57%) are using public and private cloud infrastructure to support production applications and workloads today. This indicates that organizations are growing more comfortable running their own portfolio of cloud-based workloads and that cloud computing has become an essential part of enterprise IT strategy. 40% One-quarter of IT and cybersecurity professionals report that 40% of their organization s production applications/workloads run on public cloud infrastructure today and this will only increase in the future. 4

5 Enterprises are engaged in numerous other activities in support of cloud computing. For example, 88% are already deploying internal private cloud infrastructure, 66% are using converged or hyper-converged infrastructure solutions, while 69% are using a self-service portal for cloud workload provisioning, configuration management, change management, etc. Why are large organizations embracing cloud computing at an increasing rate? Reasons vary from aligning enterprise IT with emerging technology innovation, to lowering costs, to aligning IT infrastructure with the increased use of agile development (see Figure 1). FIGURE 1 Reasons for Using Cloud Computing Infrastructure What were the main reasons why your organization decided to utilize cloud computing infrastructure when it first made the decision to do so? (Percent of respondents, N=303, multiple responses accepted) Align our IT strategy with emerging industry innovation Lower operating costs Lower capital costs Align our IT infrastructure with our increasing use of agile development Reduce the number of physical data centers my organization owns and/or operates Use cloud computing for application test and development On-demand compute resources to meet the variable needs of a particular application Use cloud computing infrastructure for non-sensitive workload Accelerate application deployment time Provide business units with more IT autonomy 50% 47% 42% 41% 41% 40% 39% 38% 37% 36% Tiered storage options allow us to align the time value of data with cost Converting capital costs to operational costs in a pay of you go utility model 26% 30% 5

6 IT and security professionals still believe that security issues continue to impede overall cloud velocity. The State of Cloud Security In spite of the uptake of cloud computing, IT and security professionals still believe that security issues continue to impede overall cloud velocity. For example, 51% claim that their organizations are concerned about security risks associated with relying on third-party cloud computing providers, 37% say that their organizations are concerned that cloud computing increases their attack surface, and 36% are concerned about the availability and reliability of public cloud infrastructure. Aside from the risks associated with cloud computing, security professionals also admit that cloud security presents some inherent organizational challenges. More than half of all enterprises claim that cybersecurity teams, networking teams, and data center infrastructure teams all get involved in creating and managing cloud security policies. These three teams also collaborate on cloud security technology purchases, deployment, and day-to-day operations. Given the relative immaturity of cloud computing, when it comes to securing these implementations properly, security professionals describe communications and collaboration issues between these groups, increasing risk and creating bottlenecks in cloud security processes. While cloud computing represents a new and distinct model, 92% of organizations approach cloud security with existing security technologies and processes (see Figure 2). FIGURE 2 Use of Existing Security Technologies and Processes for Cloud Computing Does your organization use its existing security technology and processes for securing its cloud infrastructure? (Percent of respondents, N=303) 6% 2% Yes, extensively Yes, somewhat 37% 55% No, but we plan to use our existing security technologies and processes for cloud security in the future No, but we are interested in using our existing security technologies and processes for cloud security in the future 6

7 From a cost and operations perspective, it certainly makes sense to point existing security technologies and processes at new IT initiatives like cloud computing. Unfortunately, these tools and processes were really designed to be used with a traditional static security model (i.e., hardware-centric, perimeter, network-centric, north/south traffic inspection emphasis, etc.) rather than highly dynamic and mobile cloud computing workloads. When asked to identify their least effective traditional security tools for cloud environments, survey respondents pointed to data security technologies (46%), host-based security technologies (46%), and network security technologies (44%, see Figure 3). The research also revealed a general pattern traditional security skills, processes, and technologies were much more mature than their cloud security counterparts on a consistent basis. FIGURE 3 Least Effective Traditional Security Technologies for New Requirements Associated with Cloud Security Which of the following traditional security controls (designed to protect on-premises systems, networks, applications, and data) is least effective for new requirements associated with cloud security? (Percent of respondents, N=303, multiple responses accepted) Data security technologies (encryption, data loss prevention (DLP), etc.) Host-based security technologies (i.e. anti-virus, file-integrity monitoring, host-based IDS/IPS, etc.). Network security technologies (i.e. firewalls, IDS/IPS, gateways, etc.) 44% 46% 46% Web application firewalls (WAFs) 42% Vulnerability management scanner technologies 41% Patch management technologies 37% SIEM and/or security analytics technologies 33% None of the above 4% 7

8 Cloud Security Challenges Aside from security technology controls, survey respondents also called out a variety of cloud security challenges that spanned people, process, and technology. For example, one-third of organizations point to problems in areas such as their ability to provision security controls to new workloads in the cloud, their ability to assess the overall security of cloud infrastructure, their ability to monitor workloads across clouds, and their ability to monitor regulatory compliance while using cloud computing infrastructure effectively (see Figure 4). FIGURE 4 Cloud Security Challenges Which of the following represent the biggest cloud security challenges at your organization? (Percent of respondents, N=303, five responses accepted) Ability to provision security controls to new workloads in the cloud Ability to assess the overall security status of cloud infrastructure Ability to monitor workloads across clouds Ability to maintain regulatory compliance while using cloud computing infrastructure effectively Ability to monitor network traffic patterns for anomalous/suspicious behavior Ability to protect workloads across clouds Ability to collect, process, and analyze security data related to cloud infrastructure Ability to build a tiered cloud consumption model that aligns different cloud options with the sensitivity of individual workloads Ability to build a risk model to assess which workloads can move to the cloud and which should remain on-premises 34% 34% 34% 33% 32% 31% 31% 30% 30% Ability to monitor who provisions or changes cloud-based infrastructure Ability to conduct forensic investigations on cloud resources Ability to segment network traffic 26% 26% 26% None of the above we don t have any cloud security challenges 3% 8

9 Note that many responses in Figure 4 were related to challenges with cloud security monitoring. ESG wanted to dig a bit further into this topic so we asked survey respondents to identify specific challenges with cloud security monitoring as well. As Figure 5 illustrates, security professionals have a long list of cloud security monitoring challenges, including organizational challenges, scalability challenges, technology challenges, and skills challenges. As the old business axiom goes, you can t manage what you can t measure. As the ESG survey concludes, this is a real problem for large organizations where cloud security monitoring remains a work-in-progress. Smart CISOs will address these types of cloud security monitoring challenges, attain situational awareness of all activities happening in heterogeneous clouds, and then use data analysis to mitigate risk, apply controls, and drive security investigations. FIGURE 5 Cloud Security Monitoring Challenges Which of the following challenges has your organization experienced with regard to monitoring the security of applications, workloads, and data residing on cloud infrastructure? (Percent of respondents, N=298, three responses accepted) Various IT and/or business units have adopted cloud computing over the past few years so the security team is now catching up on security monitoring Cloud security monitoring requires greater scalability for security data capture, process, and analysis 38% 36% Each cloud infrastructure technology is distinct so we can t always get consistent security monitoring across diverse cloud infrastructure My organization has a limited number of cybersecurity personnel, so cloud security monitoring has placed an additional burden on the existing team Monitoring cloud can require lots of work for connecting security monitoring tools to cloud platforms via APIs My organization s cybersecurity team does not have adequate cloud security monitoring skills in place today so we are learning as we go Cloud security introduces blind spots where we don t have adequate visibility for security monitoring Traditional monitoring tools are not always effective for cloud security monitoring 31% 30% 29% 28% 28% 26% We have not experienced any challenges 4% 9

10 Cloud Security Tactics and Strategies Cloud security is new and different compared to traditional physical or virtual server models. Based upon the ESG research, it appears that enterprise organizations take a while to internalize these important distinctions. Once this lesson is learned, however, many organizations adjust their security controls and monitoring so they support the requirements and nuances of heterogeneous cloud infrastructure. For example, 74% of organizations say that they have abandoned traditional security policies and technologies because they couldn t be used effectively for cloud security (see Figure 6). FIGURE 6 Cloud Computing Drives the Abandonment of Traditional Security Controls and Processes Has your organization had to abandon its use of any traditional security policies or technologies because it couldn t be used effectively for cloud security? (Percent of respondents, N=303) 13% 14% 32% Yes, we ve abandoned many traditional security policies or technologies because they couldn t be used effectively for cloud security Yes, we ve abandoned some traditional security policies or technologies because they couldn t be used effectively for cloud security 41% No, but we are having sufficient problems that may lead us to abandon one or several traditional security policies or technologies because they couldn t be used effectively for cloud security No The ESG research indicates that many CISOs are altering their security strategies and turning toward new types of security controls, monitoring tools, and processes specifically designed for cloud computing. In addition, data gathered for this project indicates that they are also: Hiring cloud security architects. A vast majority (87%) of enterprise organizations have established a new cloud security architect position but this role is a relatively recent addition over the last few years. As this role becomes more established, ESG expects gradual maturity in areas like security operations automation and orchestration, so security can keep up with agile development and DevOps groups that are often driving cloud computing initiatives. Changing security requirements. In the past, security professionals tended to judge security technologies based upon their efficacy the ability to prevent, detect, or respond to changing risks or cyber-attacks. While these attributes remain important, cloud computing demands additional requirements like extensibility, scalability, and openness to a wide variety of cloud computing infrastructure (see Figure 7). 10

11 FIGURE 7 Most Desired Security Attributes for Securing Cloud Infrastructure What is your organization s most desired security attribute when it comes to securing cloud infrastructure? (Percent of respondents, N=303) Extensibility (i.e., ability to extend across both heterogeneous infrastructure) 8% 7% 3% 23% Scalability (i.e., ability to scale up or down appropriately with cloud resources) Infrastructure-agnostic (i.e., independent of the underlying IT infrastructure) 8% Manageability 10% 21% Pervasiveness (i.e., exists throughout entire IT environment - from public to on-premises) Deep visibility (i.e., at application or workload layer) 20% Stateful (i.e., security policies maintain consistent, even as they move throughout the IT environment) Automation Growing use of micro-segmentation. More than half (55%) of enterprise organizations are already using security technologies for micro-segmentation (i.e., the ability to create and manage granular and virtual network segments in order to limit network communications to specific sources and destinations). Furthermore, 81% plan to have well documented formal processes for micro-segmentation of network traffic between heterogeneous cloud infrastructure within the next year. Based upon this data, it is safe to categorize microsegmentation as a burgeoning best practice for cloud security. 11

12 Large organizations have a number of other plans for cloud security over the next 12 to 24 months. For example, 47% will determine which security technologies they can begin to eliminate as they use cloud computing more extensively. This is a clear indication that some legacy security technologies will be replaced by cloud-ready alternatives designed for extensibility, scalability, and heterogeneous cloud infrastructure support. Additionally, 43% of organizations plan to classify workloads and then align them with cloud security controls, and 43% will investigate how they can integrate security technologies with cloud APIs (see Figure 8). FIGURE 8 Cloud Security Plans over the Next 12 to 24 Months Which of the following activities does your organization have planned for the next 12 to 24 months? (Percent of respondents, N=303, multiple responses accepted) Determine which security technologies we can begin to eliminate as we use cloud computing more extensively Classify workloads and then align them with various cloud computing options based upon their risk profiles Investigate how we can integrate our security technologies with cloud APIs Provide additional cloud security training for the security staff Make changes to the IT organization to enable more collaboration on cloud security between groups Align security controls with cloud self-service provisioning Invest in new types of security technologies designed for cloud computing Develop ways to automate security provisioning that aligns with what we are doing for cloud computing Create a service catalogue that aligns security controls with various types of workloads 30% 47% 43% 43% 42% 42% 40% 40% 38% Establish a cloud security architect position None planned 2% 4% 12

13 The Bigger Truth Based upon the data presented in this research insight paper, ESG concludes that, while cloud security remains somewhat immature today, it is developing rapidly as large organizations acquire and deploy cloud-ready security tools, gain experience protecting cloud workloads, and establish best practices. This ESG research project can also provide some useful lessons learned that may help large organizations avoid some of the pitfalls and challenges described above. ESG recommends that CISOs: Establish the right organizational model. Security teams must be organized so they can keep up with business initiatives and cloud computing models featuring automation, orchestration, and self-service. To achieve this goal, CISOs will need to improve communications with business and IT executives, bolster cloud computing training, and hire cloud security architects who can go toe-to-toe with cloud specialists and DevOps. Institute appropriate cloud security policies and processes. Cloud security is often an afterthought for infrastructure teams, forcing the cybersecurity team into a perpetual game of catch-up. This leads to growing IT risk, since most security departments tend to always be a few steps behind changes in infrastructure. To bridge this risk gap, large organizations must ensure that risk and security considerations become inexorably linked with cloud computing application development, business decisions, provisioning, and management. In other words, cloud security should be built into heterogeneous cloud projects from their inception rather than bolted on reactively as projects approach their production phase. Start with comprehensive monitoring for cloud security. Even highly skilled cybersecurity professionals can t mitigate risk, detect malicious activity, or respond to security alerts unless they collect, process, and analyze the right data. Similarly, strong cloud security must start with continuous monitoring of all workloads and network traffic on heterogeneous public and private clouds. Armed with comprehensive cloud security analytics, CISOs, IT auditors, and SOC specialists can make informed and timely decisions when it comes to preventing and responding to cyber-attacks. Plan for heterogeneity and massive scale. As the research indicates, large organizations are using a multitude of different private and public cloud infrastructure platforms today with no end in sight. Security controls, monitoring, and processing will need to be built for highperformance and high-throughput to keep up with dynamic workloads, constant mobility, and massive scale. In this way, organizations can bridge the gap between today s tactical security point tools and a more strategic cloud security architecture that can support cloud agility. Embrace a DevOps cloud security model for security enforcement technologies. To keep up with the pace of application development and cloud computing, security teams must work with DevOps on a common lexicon and process automation methodology. This should include things like workload classification for policy enforcement templates, API integration for automation and orchestration, a move toward software-based security services, and central management. All Rights Reserved by The Enterprise Strategy Group, Inc contact@esg-global.com P