Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Cloud-Native Businesses Struggle With Security

More companies moved to cloud-native infrastructure in the past year, and security incidents and malware moved right along with them.

Companies increasingly moved their applications and infrastructure to the cloud in the past year, but not without major concerns about security.

Almost 60% of companies said they are more worried about security since moving to cloud-native technologies — four times greater than those that said they worry less, according to a survey published last week by security firm Snyk. The companies' concerns are likely due to experience, with more than 56% of firms that indicated they dealt with a security incident caused by misconfiguration or an unpatched vulnerability, Snyk states in its "State of Cloud Native Application Security" report.

Related Content:

Prioritizing Application & API Security After the COVID Cloud Rush

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

The two types of events don't mean the companies are less secure following the move to the cloud, but that they are detecting — and, in most cases, quickly mitigating — more security issues, says Guy Podjarny, founder and president of Snyk.

"There have been more of these incidents because environments are more messy, but companies correctly perceive that these are areas that need attention, so their concerns are aligning well with the actual threats," he says. "It's more about what I call security hygiene, about keeping the windows locked and doors shut."

The necessity of scaling up remotely accessible infrastructure during the pandemic has given impetus to companies' digital transformations, with many companies moving from the early planning stages to an accelerated rollout of cloud infrastructure during the past year

Rather than use on-premise applications and systems that are remotely accessible, companies have moved to cloud-native applications and infrastructure. Cloud-native technologies use cloud-based infrastructure — such as containers, microservices, and APIs — to improve businesses' scalability and agility and are considered key to digital transformation.

Companies that had high cloud adoption tended to encounter more incidents of specific types compared with companies that had not moved as many business and development processes to the cloud, according to the Snyk report. High cloud adoption firms tended to see more incidents of misconfiguration (50%), known unpatched vulnerabilities (45%), failed audits (21%), and secrets leaks (18%), compared with organizations with low cloud adoption, which tended to have higher incidences of malware (14%) or, in many cases, did not detect any security incidents (21%).

"Adoption of cloud native technologies will undoubtedly change the security posture of [an organization's] overall application," Snyk states in the report. "While the core security principles remain constant, as with all emerging ecosystems the best practices are still being defined, driving fresh concern as teams navigate through unfamiliar landscapes."

Along with businesses, attackers have focused on cloud technologies as well, with malware arriving from cloud applications — such as storage, cloud e-mail services, and software download services — increasing by nearly a third and accounting for 62% of all malware downloads in Q1 2021, according to a separate, recent report from cloud-application service provider Netskope. That's up from 48% of downloads in the same quarter the previous year. 

While most malware downloaded from the Web are executable files, malware downloaded from cloud apps is more varied, with executable files and archives accounting for about a quarter of the total each, and Office documents accounting for almost 16%, according to Netskope.

"The rise in the popularity of cloud apps as a channel for cybercriminals to deliver malware is a result of the overall rise in popularity of cloud apps—cybercriminals go wherever their victims are," the Netskope report states.

Snyk did not conclude that companies with more cloud-native technologies are less secure, but that they are more aware of security incidents because they have greater visibility. While only a third of all companies had an entirely automated development pipeline, 42% of cloud-native companies had moved to total automation. 

"The data in the report is showing ... that the teams with higher cloud adoption actually have better automation and they are far more likely to find and fix critical issues in a much, much faster period of time," Podjarny says. "Their concerns are around this new reality — empowering their workers and working with independent teams — and they worry that more of them will slip, but still their ability to respond is much faster."

One interesting finding is that developers are more likely to want to take on security responsibilities than security teams are ready to give up those responsibilities, Podjarny says. Three times as many developers as security pros — 36% — claimed responsibility for security, with only 13% assigning responsibility to the IT security team. However, only 10% of respondents in security roles assigned security to developers, compared with 31% assigning responsibility to the security team. 

Among both types of survey respondents, the majority — 31% of developers and 33% of security members — considered security to be the responsibility of the DevOps or DevSecOps team.

It is more about who is ready to address the problems, Podjarny says. 

"There is a cynical view that developers do not care about security, but the data shows that the developers are far more ready to accept security responsibility," he says. "Companies have scanning technology, but developers need to be the ones to run it, and security teams need to let go."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36388
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
CVE-2020-36389
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
CVE-2021-32575
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
CVE-2021-33557
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.