Cloud Use Increases Attack Surface, But Security Not Keeping Up

JMH

Emeritus, Contributor
Joined
Apr 2, 2012
Posts
7,197
Moving workloads to the cloud dramatically increases an organization's attackable surface area, which is causing a headache for IT departments because security hiring has not kept up with demand, according to a new survey.

The research was carried out by CloudPassage at this year’s Black Hat security conference, held in Las Vegas.

An overwhelming number of respondents (94%) said that moving from a traditional data center environment to a cloud-based infrastructure increases the number of server workloads, and therefore the attackable surface area, by a factor of two to 100 times.

And these additional server workloads are much more demanding than traditional, on-premises workloads—the survey found that 95% of respondents have to create, modify or retire server workloads anywhere from two to 100 times more frequently when in the cloud.

Despite this increase in workloads and the requirements around them, and the additional security risks they present, IT teams are not getting any extra support. In fact, 85% of respondents say their IT security team hiring has not kept pace with requirements. This is potentially leaving businesses at risk from cyber attacks.

“Adopting cloud infrastructure and agile application delivery creates exponential growth in server workloads, meaning more potentially attackable surface area and more security management overhead," said Carson Sweet, co-founder and chief technology officer of CloudPassage.
Cloud Use Increases Attack Surface, But Security Not Keeping Up - Infosecurity Magazine
 
While organizations have started to understand that cloud infrastructure can deliver faster development, deployment, and innovation cycles, many are not thinking about the related impact to security operations”
What a bunch of malarkey! When I was a consultant for a major IT development company, we strongly urged our government and private/corporate clients to "invest" in OPSEC and InfoSec with a simple 6 step plan.
  1. Identify sensitive information - to include EEFIs, Essential Elements of Friendly Information,
  2. Analyze threats,
  3. Analyze weaknesses and identify vulnerabilities,
  4. Assess the risks,
  5. Apply countermeasures to include recurring employee and customer training,
  6. Repeat steps 1 - 5 at least quarterly.
However, these plans take money to fund development, staffing, execution, and maintenance. If the bean counters don't see any profit/returns on those investments, they stick their heads in the sand and ignore the advice. So it is not that that they don't think about it, it is that they choose to pretend it is not needed - until they are hacked. Then they blame the underfunded, understaffed IT department for failing to stop the attack.

So if you are in IT and in any way responsible for IT security, do what we did - document, document, document yours warning and reports on security and staffing needs to cover your a$$. Then apply those OPSEC and InfoSec measures on that documentation for your own job security when the CIO and those bean counters come looking for someone else to blame instead of pointing their fingers at themselves.

And if you have a business, especially one that maintains any type of customer information, listen to your IT people and heed their advice.
 
Back
Top