Despite being up to speed on the importance of modernizing security implementations in the cloud, a huge chunk of professionals said their organizations are lagging behind. Responses from these professionals to a CNCF survey indicate that organizations need to shed the old ways to make way for standardization and interoperability that can be achieved with open source. CNCF’s survey also lays out the most prevalent cloud security concerns and challenges that organizations face today.
Results of a survey conducted recently by the Cloud Native Computing Foundation (CNCF) reiterated some known challenges associated with cloud security. Per the Cloud Native Security Microsurvey report, respondents are aware of the menacing impact of not keeping up to date with contemporary security implementations and the threat of relying on traditional means.
CNCF Security Technical Advisory Group (TAG) found that 85% of respondents think modernization of security is ‘very important’ to their organization’s cloud-native deployments with the remaining 12% stating it is ‘somewhat important’, and 3% feeling neutral about it. Yet, only 9% have a fully documented set of procedures which is automatically implemented.
In this context, a modern approach to security doesn’t mean leveraging the traditional approach over the cloud, but a complete overhaul that encompasses dynamic, granular, and nuanced control.
Published during the virtually held KubeCon + CloudNativeCon North America 2021Opens a new window event this week, the report provides a glimpse into how exactly organizations are managing their cloud security for third-party software. As such, responses indicate that:
- Only 9% have a fully documented, and automatically implemented a set of procedures
- 35% of organizations combine manual processes with automated ones to enact policies and procedures
- 22% said their focus remains only on essential ones
- 20% said their processes are completely manual
- 12% don’t have any known policies, procedures, or processes
So it isn’t a stretch to say that appropriate cloud security is still elusive for most. To that end, 82% of respondents cited the importance of using open source to build respective cloud security implementations because “organizations see open source tools as being more interoperable and focused on standards,†CNCF’s report stated.
Specifically, respondents desire open-source alternatives for proprietary technologies such as Key Vault, Vault (59%), Splunk, ELK (53%), AWS Key Management Service (30%), HSM (23%).
“This enables organizations to pick and choose the security they want, knowing they are gaining
collective benefit, with the added value of contributing critical changes that benefit the wider community. Security is not a proprietary concept. The ecosystem as a whole collectively benefits from the lessons and learnings of others.â€
Learnings with respect to challenges faced by others, to any concerns they may have.
The biggest challenge faced by organizations in cloud security is the lack of a skilled workforce, a known issue across multiple security domains. This is followed by the inability to harmonize existing practices with new sets of practices such as DevOps and CI/CD.
Cloud Security Challenges | Source: CNCFOpens a new window
See More: Cloud Misconfigurations Still Cause Two-Thirds of Security Incidents: IBM X-Force
And despite most cloud-native tools claiming to be secure by default, the following need to be augmented:
- Authentication, identity, and access management (66%)
- Compliance and regulation, auditing, management, and monitoring (61%)
- Workload isolation and/or tenant isolation (59%)
- Key management/credential rotation (53%)
- Modern security culture (50%)
- Data encryption (49%)
- Network infrastructure automation (35%)
- Lifecycle management (24%), and others
Fragility in some of these could lead to discovery and exploitation of vulnerabilities by threat actors leading to data breaches, exposure of sensitive information, or use of cloud resources for cryptomining, which has been on the rise in recent months.
The biggest cloud-native security concerns more or less correspond to the security augmentations that the respondents need to undertake, especially the two biggest ones. These are the lack of secure-by-default guarantees (53%), and system, network, and traffic visibility (50%).
Security defaults tend to become a weakness considering each implementation may vary from others. For instance, default Microsoft Power Apps settings led to the exposure of 38 million data records of 47 government and private organizations.
Some other concerns include a knowledge gap when it comes to threats faced by organizations with third-party software and code, the viability of open-source cloud projects with respect to security, intellectual property data loss/theft, and more.
Cloud Security Concerns | Source: CNCF
As a result, in the next two to five years, organizations plan to implement security practices such as the use of signed artifacts, enforcement of policies such as no critical vulnerabilities, enhanced monitoring and detection capabilities, adopt container isolation, and use mutual authentication.
Note: CNCF Security TAG conducted the survey between July and September 2021. Respondents include SRE/DevOps engineers (23%), software architects (17%), security engineers (15%), engineering managers (9%), DevOps management (7%), full-stack developers (5%), and 10% in executive roles such as CTO, CIO working in consulting, financial services, and consumer services. Almost half (49%) are working in organizations with over 1,000 employees.
Let us know if you enjoyed reading this story on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!