Introduction

From December 2018 to February 2019, CSA conducted an online survey of 20 questions about enterprise cloud migration and cloud security management among nearly 700 IT and security professionals from different organization sizes and locations, approximately 500 organizations. The survey found that many organizations are migrating more and more workloads to cloud-based resources, including hybrid environments, multi-cloud environments, and combinations of both. These organizations are also committed to integrating various applications from public and private cloud service providers with their own internal resources. (For details on this section, see the article "CSA Confirms Hybrid Cloud and Multi-Cloud Strategies Will Be Major Cloud Strategies for Enterprises in the Future").

As cloud computing environments become more complex, what challenges will enterprises face, and how will they respond? The author analyzes based on CSA's survey report and draws the following conclusions to share with everyone.

Challenge 1: Security Issues Challenge

In the survey, approximately 81% of respondents expressed concerns about security when transferring data to cloud computing. This shows that security is the biggest obstacle for enterprises using cloud computing.

Security issues receiving high and moderate attention from enterprises include:

Note: The image above is translated from the original CSA report image

Six Security Challenges Highly Valued by Users

Due to the increased complexity of multi-cloud and hybrid clouds, enterprises also encounter quite a few challenges in security. The survey found that enterprises generally believe the following security challenges already need their high attention. Here we list them in order from high to low user attention level:

1. Proactive detection of misconfigurations and security risks
2. Lack of visibility into overall cloud assets
3. Compliance and audit requirements
4. Simultaneously managing cloud and on-premises environments
5. Managing multi-cloud environments
6. Lack of experience with cloud-native security architecture

The survey report shows that enterprises believe the biggest challenge is how to proactively detect misconfigurations and identify security risks, while overall cloud environment visibility is listed second.

Challenge 2: Compliance and Legal Challenges

In addition to common compliance frameworks (such as ISO 27001, PCI-DSS, HIPAA, SOX, NIST 800-53), cloud service providers are constantly upgrading services and platforms to comply with new regulatory policies and industry standards, such as the new European General Data Protection Regulation (GDPR) and CSA Security, Trust, Assurance, Risk (STAR). In recent years, many governments have strengthened enforcement of security violations and increased penalties. China's information security technology network security level regulations released on May 10, 2019, also specifically formulated level protection requirements for cloud computing. (For details on this section, see the article "Security Design Technical Requirements for Cloud Computing under Level Protection 2.0")

At the same time, customers using cloud services may be uncertain about who should be responsible for such security violations. More than half of respondents (57%) expressed concern about compliance, and nearly half expressed uneasiness about legal issues when adopting public cloud services (44%). There remains much uncertainty about how customers can use these platforms to comply with regulations and who should be responsible for regulatory violations.

Enterprises need to understand industry and government regulatory policy requirements, understand the compliance status of services and platforms being used in their IT environment architecture, and improve system security in complex environments to meet compliance requirements. Undoubtedly, this will be a very big challenge!

Challenge 3: Professional Security Organizations and Personnel Training

Because cloud services are easily accessible, each individual business unit in an organization has more control and ownership over the services they use. As this service usage increases, organizations must determine which department will be responsible for security. On this issue, the survey report shows that most respondents (79%) stated their IT department has this management authority. Among these responses, only 16% indicated their IT department has a dedicated cloud security team. Meanwhile, the remaining respondents relied on other security services, such as DevOps or managed service providers. Security services are as easily available as cloud services, and even more rapidly. Consideration should be given to sharing security responsibilities throughout the organization, letting each business unit understand the security issues of each service they use.

Using multi-cloud and hybrid cloud environments can provide many benefits, but also increases the complexity of protecting these environments. As cloud computing environments become more complex, IT professionals must be able to see cloud-based resources and be able to trust the expertise of their own security personnel and cloud service provider personnel. The rapid adoption of cloud computing and the complexity of technology have created a huge gap in personnel with cloud security skills.

The survey report also shows this. Among them, about one-third of respondents indicated a lack of professional knowledge, and one-quarter indicated a lack of staff to manage cloud environments. Half of the respondents in this survey expressed concern about integrating public clouds with their existing IT infrastructure. Additionally, the survey report indicates that in a 2017 survey, 61% of respondents already using hybrid clouds stated that consistent security management across hybrid environments was one of the biggest challenges facing their organization. With the clear increase in multi-cloud platform usage and the shift to public cloud environments, the skills gap issue will become increasingly obvious!

Therefore, how to quickly establish professional cloud security teams and cultivate cloud security skilled personnel will be a major challenge for enterprises!

Interestingly, in the survey report, many enterprises expressed this concern in unison. In the survey, respondents were asked whether they had experienced security incidents in the past 12 months. Among the 44% of respondents who reported experiencing security incidents, they all expressed concern about the lack of personnel to manage cloud security!

Response Strategy 1: Use Security Management Tools and Security Policies

To better understand how organizations conduct security management in these complex environments, respondents were asked what network security controls they use to protect their public cloud deployments. Most respondents reported using multiple security controls to manage their public cloud deployments. The most popular choice was using security control software provided by the cloud service provider, with 70% of respondents choosing this. In a similar study conducted in 2017, only about one-quarter of respondents used their cloud service provider's own security tools.

Note: The image above is translated from the original CSA report image

At the same time, security management is also required as a basic requirement for application design. The survey report shows that 59% of enterprises require security management as part of application design. When asked what they use to manage security during public cloud application programming, answers were diverse: 32% chose programming and configuration management tools, 29% chose cloud-native tools, and 13% adopted scripts developed using cloud service provider APIs.

Early detection of potential security risks remains an important aspect of security management. Tools used to detect and manage these risks or vulnerabilities are important for early detection. In this survey, about one-third of respondents used cloud service provider risk assessment services to detect and manage vulnerabilities, while nearly one-quarter used designated third-party security tools. Another one-fifth of respondents used general risk or vulnerability assessment tools. This indicates that less than half use the above tools, beyond what CSPs provide.

Response Strategy 2: Adopt Compliant Technologies and Cloud Platforms

Many public cloud service providers have begun offering native tools with added visibility and security that can meet or exceed other traditional security management (e.g., security controls for internal systems). Enterprises need to understand how to leverage cloud platforms and use provider tools to maximize all the benefits of the cloud. Cloud service providers continue to provide native tools with added visibility and security, often meeting or exceeding other traditional (internal and third-party) security controls. Cloud service provider platforms and services will meet some of the stricter compliance requirements of industry and government regulations.

Architecting enterprise IT environments on compliant technologies and platforms allows enterprises to use relevant tools provided by the cloud platform itself to improve security and built-in compliance in complex environments, which will help enterprise systems meet relevant legal and regulatory requirements.

Response Strategy 3: Security Responsibility Sharing and Automation

Cloud service providers and customer IT management teams should be able to clearly state their security goals and establish a baseline level of security requirements that can be measured and shared by both parties. This shared responsibility approach can greatly improve transparency and help further comply with security regulations and best practices. Before migrating any important resources of the organization to the vendor's cloud, customers must establish trust with the cloud service provider.

In addition to establishing shared security responsibilities with cloud service providers, each individual business unit of the enterprise should also have a certain level of understanding of the security goals established by their organization, determine an independent department responsible for cloud security, establish cloud security policies across business units, improve the education level and awareness of all employees, and complete the modernized shared responsibility model. In enterprises, data owners are required to be responsible for data security including external business partners and internal business units.

As many functions expand in the cloud, existing and future security risks and vulnerabilities may also expand. Cloud service providers are constantly working to provide more security features, while enterprises as end users are also working to add personnel and experts to use these tools for security management.

Due to the inherent complexity of multi-cloud and hybrid clouds, in cloud service operations, security management personnel need to be trained, while using automation as much as possible to avoid human operational errors. Automation of security components helps solve the problem of lacking personnel with advanced cloud security management skills.

Log activities, data aggregation, threat detection, and security policy management - these tools and strategies can only address a small portion of security issues such as identifying security vulnerabilities, compliance violations, service misconfigurations, service interruptions, and other abnormal behaviors. When we hope to accelerate the use of new technologies, devices, and managing users in cloud environments, automation tools are expected to help enterprises and their employees keep up with future cloud security operation needs.

Reference materials for this article:

Cloud Security Complexity: Challenges in Managing Security in Hybrid and Multi-Cloud Environments (2019)