Survey: DevOps Teams Use too Many Cloud Security Tools
Prisma Cloud from Palo Alto Networks sponsored this article.
Security-related decisions are among the most critical to make during an organization’s shift to cloud native. These choices will largely determine whether your journey is a success, failure — or somewhere in between.
The results of “The State of Cloud Native Security Report 2020,” a major survey by Palo Alto Networks, Amazon Web Services (AWS) and Accenture, reflect how challenging the decision-making process can be.
The 3,000 cloud architecture, InfoSec and DevOps professionals interviewed for the survey, for example, indicated that 42% and 32% agreed or strongly agreed, respectively, that their organizations are actively reducing the number of security solutions that they are using across their cloud native workloads.
These results indicate “many organizations have taken whatever security was available from the cloud platform itself and have, as such, now realized that they have a humongous mess of disparate security systems that don’t really hang together very well,” Clive Longbottom, an analyst for Quocirca, said.
The questions and concerns about cloud native security the report covers will also serve as talking points during Palo Alto Networks’ virtual summit on The State of Cloud Native Security to take place on June 24, 2020.
Security Wake Up Call
The survey was initiated to help DevOp teams gauge whether they are slipping behind in their push to cloud native security compared to competing organizations. Among the key findings, for example, many DevOps and security professionals “think they’re better than they may actually be on their journey,” Mark Rauchwarter, multicloud security lead for Accenture Security, said, who will also speak on a panel at the virtual summit.
Ninety percent of the respondents, for example, agreed or strongly agreed they’ve embedded security into their DevOps practices.
The survey questions were also intended to reveal how well DevOps teams are able to assess the effectiveness of their cloud native security practices. “We’re starting to see some interesting results in that regard,” Rauchwarter said.
While DevSecOps practices and the adoption of cloud native technologies are generally accepted as key elements for agile DevOps, the survey data helps to quantify “how users and customers are actually building, deploying, running and protecting their applications,” Keith Mokris, head of product marketing for Prisma Cloud at Palo Alto Networks, said.
One such quintessential peer-related subject involves the percentage of workloads organizations have ported to the cloud. According to the report, organizations have 45% of their workloads on average on the cloud and expect 65% of their workloads to shift to the cloud during the next 12 to 24 months.
“A lot of people know that this market is taking off when it comes to all this different infrastructure,” Mokris said.
The vast majority of those organizations that have begun to make the cloud native shift rely on DevOps processes and culture for security management. According to the survey, 90% of the respondents agreed or strongly agreed that their organizations have embedded security into their DevOps practices.
“The organization needs to shape culture and internal risk management to support the practices, methods and principles that underpin DevOps,” Fernando Montenegro, an analyst for 451 Research, part of S&P Global Market Intelligence, said. “This may include, but is not limited to, a possible better sharing of responsibilities between security and cloud teams, for example.”
Adopting Practices That Scale
In the survey, technical complexity (40%), maintaining comprehensive security (37%) and compliance (32%) represent the main challenges the respondents’ organizations face when moving workloads to the cloud.
The good news is, strategically, DevOps and DevSecOps can both conclusively and permanently address these challenges, Torsten Volk, an analyst for Enterprise Management Associates (EMA), said. They do so in three distinct ways that enable teams to maintain their security practices, even at scale:
- Centralization: “There can only be a single source of truth when it comes to security and compliance management across data centers and public clouds,” Volk said.
- Declarative automation: “All compliance and security policies need to be automatically applied to the software development and release lifecycle,” Volk said. “This is critical for scalability and it also prevents manual interference that can quickly overwrite pesky build, configuration, test or deployment parameters to get the job done on time. The declarative aspect of automation is key for creating a robust and scalable framework that works independently of the underlying cloud infrastructure.”
- Compliance as code: “Compliance controls need to be codified as much as possible so that they can be consistently applied and updated across DevOps environments and cloud infrastructure,” Volk said. The sad truth is tracking compliance in spreadsheets, PDFs or even scripts will not scale.
In many respects, the security challenges also represent what is at stake if the concerns expressed in the survey results are not addressed. Technical complexity, for example, can “exacerbate risk, particularly in a cloud shared-responsibility model between an organization and their cloud-service provider,” Tim Wade, technical director of the chief technology team at Vectra, said. “Two organizations with potentially vastly different skills, operational cadence, and frankly, incentives, must fit neatly together in security congruence.
“It’s a challenge, but organizations that want to tackle that challenge head-on should ask questions that focus back to the basics,” Wade said. These “basics” consist of maintaining visibility, reliably collecting data to mine for an attacker’s signal, determining risk profiles around important assets and managing risk.
The Security Expert Challenge
The respondents also indicated how DevOps teams may sometimes struggle to acquire the requisite know-how and expertise in-house for their cloud native security practices. Training employees to use security tools (15%) or training employees on safe security practices (11%) were flagged as representing the greatest challenge in providing comprehensive security for cloud workloads. These results reflect how “training employees to use security tools and the technical complexity of the environment become just part of doing business,” 451’s Montenegro said.
As a hypothetical example, Montenegro noted it’s not effective to try forcing a security engineer to learn the nuances of a specific cloud service and also forcing a cloud engineer to learn the ins-and-outs of security. They should both “collaborate on sharing knowledge and practices so that the cloud engineer is responsible for security for that service,” Montenegro said. “However, the security engineer provides the relevant domain knowledge and oversight necessary to make sure the right security posture is maintained.”
Too Many Cooks
The results portend a shift in how teams are adopting cloud native security tooling. The majority of organizations in the survey (60%) rely on six or more vendors to secure their cloud native workloads. At the same time, as mentioned above, 42% and 32% agreed or strongly agreed, respectively, that their organizations are actively reducing the number of security solutions that they are using across their cloud native workloads.
These data points may reflect a general trend organizations are following to simplify security processes for cloud native workloads by reducing tools. But more importantly, they highlight how an organization’s security needs and the tools they require for their cloud native security processes are often very specific to their individual needs.
Every organization has a different way of looking at their cloud native security needs, what kind of security is important for them, and what they need to protect, for example, Rauchwarter said. “There doesn’t tend to be one tool that fits all of the different use cases… But there are definitely new tools out there that have helped to bring in a number of those features,” Rauchwarter said. “So, we would be interested to see if there are potential opportunities for reducing and simplifying the overall security tool landscape.”
However, any organization will certainly always require a separate tool for observability through logging, metrics and tracing, in order to understand how data flows throughout IaaS, PaaS and custom-developed services for their cloud native operations, Jack Mannino, CEO at nVisium, said.
“Employing six or more vendors to secure cloud deployments and operations highlights the number of incomplete point solutions on the market as well as the complexity of securing the entire stack across single and multicloud implementations,” Mannino said. “Organizations often buy a full product for a single feature, leading to redundancy within security product portfolios. With the number of technologies supported across cloud providers, it is arguably infeasible for a single solution to cover all things security.”
Organizations also typically have an initial group of applications they may migrate for security when they make the shift to cloud native, Mokris said.
“But then as you start moving to other architectures, maybe you start to shift some of your toolkits. That can really lead to piling on a lot of tools, which can create some good opportunities and then also some challenges,” Mokris said.
Ultimately, as the survey results indicate, organizations seek to prevent “the entropy that originates from operating cloud and application-specific security solutions,” Volk said. “A single source of truth is key if you want to sleep well at night and enjoy your weekend.”
Join Prisma Cloud by Palo Alto Networks June 24 at 9:00 AM PDT at the The State of Cloud Native Security virtual summit for a full discussion of the “The State of Cloud Native Security Report” and other topics relevant to your organization’s digital journey. The summit will feature a panel session hosted by The New Stack’s Founder and Publisher Alex Williams, with security thought leaders from AWS, Accenture and Prisma Cloud by Palo Alto Networks.
Amazon Web Services (AWS) is a sponsor of The New Stack.
Feature image via Pixabay.