Cloud Services / Security

Organizations Running on More Clouds Less Likely to See Security Threats

3 Jul 2019 1:00pm, by

Confusion about boundaries, whether they are between clouds or geographic locations, can make cloud security challenging. Several approaches aim to address the complexity of managing the security of multiple cloud environments, but one metric actually shows security improvement for organizations with more cloud providers.

Almost 29% organizations that use only one external cloud have an internet-facing host with a high or critical security-related finding, according to RiskRecon and the Cyentia Institute’s “Cloud Risk Surface Report,” which is based on an analysis of 18,000 organizations. Firms with four clouds have on average only one-quarter the exposure rate. Companies utilizing only one or two clouds are likely in the early stages of public cloud adoption. Although common wisdom states that large companies have better security cloud security postures, this study does not support that claim.

Source: RiskRecon and the Cyentia Institute’s “Cloud Risk Surface Report”

High or critical findings are present in 4.7% of hosts running high-value workloads in a cloud provider-hosted environment, but the bulk of workloads face a lower security threat level and are hosted internally. Overall, the study found that on-premises hosts are less likely to have a security finding.

Source: RiskRecon and the Cyentia Institute’s “Cloud Risk Surface Report”

A third of all hosts in the study are in a foreign location, but two-thirds reside on an external network irregardless of its physical location. Using the same data, an earlier analysis looked at internet usage based on both cloud-related and physical boundaries. It found that geography is not destiny but is a continuing obstacle; 94% of the median organization’s internet-facing hosts are located in its home country.

GDPR is a huge concern for organizations moving to the public cloud, and local data protection requirements present many challenges for both enterprises and cloud providers. However, the boundaries defining different clouds are what security and cloud vendors are more focused on.

Confusion and Complexity Concerns in Other Reports

  • Need for a Manager of Managers
    • Monitoring Concerns Hamper Hybrid, Multicloud Deploymentsshows that security and monitoring systems are not optimized to simultaneously track both on-premises and cloud environments.
    • More than half (56%) of cybersecurity and IT professionals believe that security controls provided by a cloud service provider should also support other IaaS/PaaS environments according to a 2018 Enterprise Strategy Group survey.
  • Complexity Angst: 66% of IT decision makers think IT environments are more complex than 2 years ago, according to Enterprise Strategy Group. Although new technology is supposed to make people’s jobs easier, there is often short-term pain involved with its adoption.
  • Demand to Supplement Cloud Providers’ Security: 70% of respondents in the Cloud Security Alliance’s survey use their cloud provider’s native network security controls currently to secure public cloud deployment. 75% of respondent’s in CyberArk’s survey rely on a cloud vendor’s built-in security, but about half of this group believes this does not provide enough protection.
  • Perception Doesn’t Match Reality: According to survey respondents, the average organization believes its employees are using 452 cloud applications, but Symantec’s own data shows that the actual number of “shadow IT” apps is 1,807 (“Adapting to the New Reality of Evolving Cloud Threats”).
  • Cloud Security Architect Is a Real Role
    • Almost half (46%) of survey respondents said they had to dedicate at least one resource to address the challenge of understanding of the differences in the shared responsibility security
      model between different cloud service providers (“Oracle and KPMG Cloud Threat Report 2019”).
    • 41% of respondents in the Oracle/KPMG report have someone in a cloud security architect role. However, there is no standard way to manage this function with 33% of cloud security architects reporting to the CIO and 31% reporting to the CISO.

Cloudless: A Silly Term That Addresses Real Concerns

I started writing this article by researching something called “cloudless” which turns out to be a vendor-coined term that describes an approach to dissolves the distinction between the private cloud and the public cloud. At its core, it promises to abstract away the boundaries that create so many complications for developers, IT operations and security teams. In this context, “cloudless” is a reinterpretation of a hybrid- and multi-cloud utopia. The urgency of realizing this ideal future is up for debate even though the topic continues to be top-of-mind for those working on cloud security challenges.

Cloud access security brokers (CASB) and privileged access management (PAM) are two ways to address some of the challenges associated with multicloud, multilocation IT environments. A zero trust security model also addresses relevant issues with an approach to handling the unique infrastructure and security posture of multiple cloud providers located all across the world.


Twistlock is a sponsor of The New Stack.

Feature Image by lmaresz from Pixabay.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Real.