Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Cloud-Native Businesses Struggle With Security

More companies moved to cloud-native infrastructure in the past year, and security incidents and malware moved right along with them.

Companies increasingly moved their applications and infrastructure to the cloud in the past year, but not without major concerns about security.

Almost 60% of companies said they are more worried about security since moving to cloud-native technologies — four times greater than those that said they worry less, according to a survey published last week by security firm Snyk. The companies' concerns are likely due to experience, with more than 56% of firms that indicated they dealt with a security incident caused by misconfiguration or an unpatched vulnerability, Snyk states in its "State of Cloud Native Application Security" report.

Related Content:

Prioritizing Application & API Security After the COVID Cloud Rush

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

The two types of events don't mean the companies are less secure following the move to the cloud, but that they are detecting — and, in most cases, quickly mitigating — more security issues, says Guy Podjarny, founder and president of Snyk.

"There have been more of these incidents because environments are more messy, but companies correctly perceive that these are areas that need attention, so their concerns are aligning well with the actual threats," he says. "It's more about what I call security hygiene, about keeping the windows locked and doors shut."

The necessity of scaling up remotely accessible infrastructure during the pandemic has given impetus to companies' digital transformations, with many companies moving from the early planning stages to an accelerated rollout of cloud infrastructure during the past year

Rather than use on-premise applications and systems that are remotely accessible, companies have moved to cloud-native applications and infrastructure. Cloud-native technologies use cloud-based infrastructure — such as containers, microservices, and APIs — to improve businesses' scalability and agility and are considered key to digital transformation.

Companies that had high cloud adoption tended to encounter more incidents of specific types compared with companies that had not moved as many business and development processes to the cloud, according to the Snyk report. High cloud adoption firms tended to see more incidents of misconfiguration (50%), known unpatched vulnerabilities (45%), failed audits (21%), and secrets leaks (18%), compared with organizations with low cloud adoption, which tended to have higher incidences of malware (14%) or, in many cases, did not detect any security incidents (21%).

"Adoption of cloud native technologies will undoubtedly change the security posture of [an organization's] overall application," Snyk states in the report. "While the core security principles remain constant, as with all emerging ecosystems the best practices are still being defined, driving fresh concern as teams navigate through unfamiliar landscapes."

Along with businesses, attackers have focused on cloud technologies as well, with malware arriving from cloud applications — such as storage, cloud e-mail services, and software download services — increasing by nearly a third and accounting for 62% of all malware downloads in Q1 2021, according to a separate, recent report from cloud-application service provider Netskope. That's up from 48% of downloads in the same quarter the previous year. 

While most malware downloaded from the Web are executable files, malware downloaded from cloud apps is more varied, with executable files and archives accounting for about a quarter of the total each, and Office documents accounting for almost 16%, according to Netskope.

"The rise in the popularity of cloud apps as a channel for cybercriminals to deliver malware is a result of the overall rise in popularity of cloud apps—cybercriminals go wherever their victims are," the Netskope report states.

Snyk did not conclude that companies with more cloud-native technologies are less secure, but that they are more aware of security incidents because they have greater visibility. While only a third of all companies had an entirely automated development pipeline, 42% of cloud-native companies had moved to total automation. 

"The data in the report is showing ... that the teams with higher cloud adoption actually have better automation and they are far more likely to find and fix critical issues in a much, much faster period of time," Podjarny says. "Their concerns are around this new reality — empowering their workers and working with independent teams — and they worry that more of them will slip, but still their ability to respond is much faster."

One interesting finding is that developers are more likely to want to take on security responsibilities than security teams are ready to give up those responsibilities, Podjarny says. Three times as many developers as security pros — 36% — claimed responsibility for security, with only 13% assigning responsibility to the IT security team. However, only 10% of respondents in security roles assigned security to developers, compared with 31% assigning responsibility to the security team. 

Among both types of survey respondents, the majority — 31% of developers and 33% of security members — considered security to be the responsibility of the DevOps or DevSecOps team.

It is more about who is ready to address the problems, Podjarny says. 

"There is a cynical view that developers do not care about security, but the data shows that the developers are far more ready to accept security responsibility," he says. "Companies have scanning technology, but developers need to be the ones to run it, and security teams need to let go."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.