Cloud Use Increases Attack Surface, But Security Not Keeping Up

Moving workloads to the cloud dramatically increases an organization's attackable surface area, which is causing a headache for IT departments because security hiring has not kept up with demand, according to a new survey.

The research was carried out by CloudPassage at this year’s Black Hat security conference, held in Las Vegas. 

An overwhelming number of respondents (94%) said that moving from a traditional data center environment to a cloud-based infrastructure increases the number of server workloads, and therefore the attackable surface area, by a factor of two to 100 times. 

And these additional server workloads are much more demanding than traditional, on-premises workloads—the survey found that 95% of respondents have to create, modify or retire server workloads anywhere from two to 100 times more frequently when in the cloud.

Despite this increase in workloads and the requirements around them, and the additional security risks they present, IT teams are not getting any extra support. In fact, 85% of respondents say their IT security team hiring has not kept pace with requirements. This is potentially leaving businesses at risk from cyber attacks.

“Adopting cloud infrastructure and agile application delivery creates exponential growth in server workloads, meaning more potentially attackable surface area and more security management overhead," said Carson Sweet, co-founder and chief technology officer of CloudPassage.

“At the same time, organizations rarely increase the size of their security teams at all, much less enough to keep up with the higher scale and pace. While organizations have started to understand that cloud infrastructure can deliver faster development, deployment, and innovation cycles, many are not thinking about the related impact to security operations,” Sweet added. “It only takes one compromise to derail adoption of these new technologies and wreck the value they otherwise could have added.”

The survey also revealed that many businesses are not taking advantage of automation tools. Just 28% of respondents said they use a full suite of tools that enable them to secure and audit cloud server workloads automatically when configuring and deploying them. Just over one-third of respondents said they use “some” security automation tools for configuration and deployment, while 35% use nothing.

Photo © everything possible

What’s Hot on Infosecurity Magazine?