Survey of IT leaders reveals the challenges of cloud security
The role of the IT is shifting as IT departments transition from building and maintaining technology to brokering the procurement and management of external services. At the same time, the threat landscape is evolving rapidly with more frequent and sophisticated attacks.
As organizations increase their use of public cloud infrastructure, concern about security is a major barrier to successfully utilizing the cloud. Organizations are looking to new solutions to secure cloud services, including SaaS, IaaS, and PaaS. We asked IT leaders which security functions are most important to extend to data stored in cloud services, and what challenges they encounter in attempting to gain visibility and control over data as the perimeter erodes. We also explored how recent trends in IT security are shaping IT security budgets, new skills required to be effective, and how organizations plan to develop or acquire these new skills
IT security budgets
With today’s security challenges, most companies are either increasing or maintaining their security budget. IT security budgets increased or remained flat for 92.5% of companies in the past 12 months and a slightly higher percentage (94.3%) expect their budgets to increase or stay flat in the next 12 months. Nearly half of companies increased their investments in IT security in the past year (44.5%) and a majority (53.7%) expect to increase their investments going forward. Of companies that experienced a higher IT security budget, 82.2% expect their budget to increase again in the next 12 months. For companies who maintained a flat IT security budget in the prior 12 months, near one third (32.7%) expect their budgets to increase this year.
While it’s not uncommon for IT professionals to complain that they need more budget to accomplish business objectives, IT budgets have not been reported to be a significant barrier to effectively stopping security incidents. The most popular idea (37.1% of respondents) is to increase hiring of junior IT professionals and invest in training them. That’s followed by increased training of existing security teams (32.3%) and a longer term program of increasing the number of collegiate majors focused on security (18.3%) to fill the applicant pipeline in future years and decades. The least popular idea is outsourcing work overseas.
Overcoming skills shortage
The most popular response to dealing with the skills shortage among individual contributors (38.1% of respondents) is to increase training for existing IT security workers. For IT executives and mid-level managers, the most popular response is to increase hiring of junior IT professionals. Everyone agreed that offshoring IT security work overseas is not viewed as an effective solution.
Most important IT skills
When asked which IT skills are needed in this new environment, 80.4% of IT professionals responded that managing an incident response would be somewhat more important or much more important in the next five years. Another 74.7% of respondents said experience with very large datasets would increase in importance while 66.4% said that communication with non-IT departments and executives would grow in importance.
Enterprises are increasingly relying on public cloud infrastructure providers such as Amazon, Microsoft, and Google for their computing resources, rather than managing their own data centers.
Rise of hybrid clouds
45.1% of organizations have a “hybrid cloud” philosophy, 25.1% prefer private cloud, and 21.5% lean towards public cloud approach. Just 8.2% of enterprises have a “no cloud” philosophy.
Today, 31.2% of an enterprise’s computing resources come from infrastructure as a service (IaaS) providers. IT professionals expect that number to rapidly grow to 41.0% of computing workloads in the next 12 months.
The IaaS triumvirate
While Amazon continues its dominance of the IaaS market, Microsoft is closing the gap in market share. IT professionals at 37.1% of companies indicated that Amazon AWS is the most popular IaaS platform at their organization. Microsoft Azure is a close second, at 28.4% followed by Google Cloud Platform at 16.5%.
IaaS adoption trends
Companies with a “public cloud” philosophy expect a majority of their computing (56.5%) will reside in the public cloud 12 months from now, an 18.2% increase from today. Even companies with a “no cloud” philosophy estimate that 14.6% of their computing nevertheless resides in the public cloud, and they expect that number will grow to 18.8% in the next 12 months. There is a sizable amount of computing in public cloud IaaS even for organizations that are philosophically opposed to cloud.
Barriers to IaaS projects
The most common barrier reported by IT professionals is concern about the security of the IaaS platform itself (62.1% of respondents), followed by a lack of ability to secure applications deployed on IaaS platforms (40.5%), followed by concerns of complying with data privacy laws (37.9%).
The role of the cloud service provider in cloud security
Though cloud providers continue to introduce new security capabilities, when it comes to securing data in cloud applications, 66.9% of IT professionals believe it is important to maintain a separation of duties between the application provider and the security provider.
The platform approach to cloud security
56.7% IT professionals prefer to use a single cross-cloud security platform provider to secure data in cloud applications for all of their organization’s applications.
Alternative approach to cloud security
Only 38.0% of organizations prefer an approach that involves managing security independently within each cloud application in use at the organization.
Cloud Access Security Broker adoption
The cloud access security broker (CASB) is the technology that companies use when they look for a central way to secure their data in cloud services. CASB technology has reached an inflection point. Today, 10.5% of companies use a CASB. Another 12.7% have immediate plans to deploy a CASB in the next 12 months, thereby doubling CASB usage.
A CASB is not the only security technology that generates alerts. Nearly one in five organizations today have more than 10 security tools in use that generate alerts. As more security tools generate more alerts, it is becoming challenging for IT organizations to keep up. In the Target breach, the company used a security tool that correctly alerted them but it was ignored.
Alert fatigue is a common complaint among IT security professionals, and 40.4% say that the alerts they receive lack actionable information they need to investigate, and 31.9% report that they ignore alerts sometimes because there are so many false positives that incorrectly flag behavior that does not turn out to be a security incident. Another 27.7% say their organization experiences incidents for which there was no alert from a security tool.
The challenge with endpoint agents
Another common challenge reported by IT professionals is endpoint agents. The problem is multi-faceted. Due to the challenges of rolling out agent software on thousands of corporate-owned and employee devices with many operating systems, organizations today have procured endpoint agent-based security solutions but have only partially deployed them and have solutions they have procured but never deployed.
Among IT professionals who have been involved in an agent deployment, 100% have experienced at least one significant issue and 52.8% would characterize the prospect of rolling out a new agent to devices as “difficult”. Just 11.1% say the rollout would be easy. When asked about the challenges they have faced, 63.6% report that they have experienced slower device performance and 44.3% have had challenges with device and driver conflicts that break device functionality.
Lastly, another barrier faced by 36.4% of IT professionals rolling out endpoint agents is user privacy and liability on personal devices. Taken together, IT professionals themselves are hesitant to roll out a corporate endpoint agent on their own devices. When asked if they would personally want a new agent-based security solution installed on their mobile device, 41.0% of IT professionals said no. Another 26.5% said they would install it, but only because their company required it.