Public cloud security ‘just barely adequate,’ experts say

Between the sharp rise in cyberattacks and overall rapid migration to the cloud, cloud security is quickly becoming a top concern for enterprises. And the more clouds are being used, the more there is to worry about.

New research conducted by Dimensional Research for cybersecurity company Tripwire reveals gaps and challenges enterprises across sectors are facing when it comes to multicloud environments, in particular. While the vast majority (73%) currently operate in a multicloud environment, almost all security professionals surveyed (98%) report that relying on multiple cloud providers creates additional security challenges. What’s more, the majority believe cloud providers’ efforts to ensure security for users is “just barely” adequate and that they should be doing more on security.

The primary goal of the research, according to Tripwire, was to “understand current approaches, challenges, and opinions about the security of public cloud infrastructure (IaaS).” The survey included 314 security professionals who have direct responsibility over the security of public cloud infrastructure. All represent organizations with at least 100 employees in the U.S. or Europe.

Cloud usage 

Respondents reported a wide range of reasons for using multiple public cloud providers, including to distribute risk, take advantage of pricing differences, and support applications that require specific providers. The most popular reasons (though not by much) were that different providers have different strengths and weaknesses, and also that different teams, departments, and lines of business have already standardized on different providers.

The research also shows that larger companies use more public cloud providers than smaller ones. The vast majority (82%) of companies with less than 1,000 employees use one or two, with only 3% in this category reporting the use of four public cloud providers. For companies with over 5,000 employees, on the other hand, 21% use four clouds, while only 50% use one or two.

To no surprise, Amazon Web Services (AWS) and Microsoft Azure were cited as the most-used clouds by a significant margin, with 66% and 82% of respondents indicating their organizations use the providers. For companies that are mostly or entirely cloud, however, AWS had an even stronger showing at 85%. Google Cloud was the only provider to lose ground in the past year, dropping from 28% in 2020 to 24% in 2021. Oracle Cloud and IBM Cloud both came in at 10%, marking a slight uptick for IBM and stagnant growth for Oracle.

Gaps and challenges

Securing the cloud (or any network) is challenging, and it’s becoming increasingly difficult as new threats emerge. But the research indicates how multicloud environments can complicate things further. For example, while the majority (59%) of respondents have configuration standards for their public cloud and use best-practice security frameworks (78%), only 38% of framework users apply them consistently across their cloud environment.

The research also uncovered visibility as a significant gap for security professionals dealing with multiple cloud providers. Of those surveyed, only 21% said they have a centralized view of their organization’s security posture and policy compliance across all cloud accounts. Most also noted that shared responsibility models for security between cloud service providers and their customers are not always clear, and 75% rely on third-party tools or expertise to secure their cloud environment.

What’s more, while most organizations rely on existing security teams to complete training or self-teach, only 9% of those surveyed would categorize their internal teams as “experts.”

Securing the multicloud

Getting multicloud security right is extremely tough, especially as enterprises attempt to quickly migrate from legacy systems. Much of the process is still manual, making teams’ baseline expertise and continued training integral. Enterprises, for example, have been known to misconfigure cloud environments and unintentionally make sensitive data public on the internet.

“Given the growing complexity of systems and threats that come with moving to a cloud environment, and security policies that are unique to each provider, it makes sense that organizations are finding it increasingly difficult to secure the perimeter,” Tim Erlin, VP of product management and strategy at Tripwire, said in a news release.

So it’s no surprise that respondents overwhelmingly (98%) said they want cloud providers to increase security efforts. They cited specific improvements, including following consistent security frameworks and more quickly communicating security issues. The majority (67%) said that yes, public cloud providers are doing enough to ensure security for their users, “but it is just barely adequate.” On the other hand, 21% said no, they aren’t doing enough.

When it comes to predicting how severe attacks might happen, some experts do indeed see cloud providers as especially vulnerable. When the New York City Cyber Task Force recently examined how a “more sophisticated and destructive” cyberattack on multiple financial institutions would theoretically go down, for example, the group determined it would most likely start with North Korean hackers compromising a 3rd-party service provider, such as a cloud computing company. The 2020 Solar Winds breach — considered the worst supply chain cyberattack in history — already showed the weaknesses in multicloud environments, in particular. But securing the cloud requires robust and dedicated efforts from everyone involved. In fact, Gartner predicts 99% of cloud security failures through 2025 will be the fault of enterprises themselves, not cloud providers.