Cloud Security, Zero trust, DevSecOps

Few IT pros say they have ‘mastered’ security in cloud-native environments

A security logo is shown on screen during a keynote address at the Consumer Electronics Show on Jan. 7, 2016, in Las Vegas. (Photo by Ethan Miller/Getty Images)

Recent research by Canonical showed that 38% of respondents believe that security remains the most important consideration whether operating Kubernetes, building container images or defining an edge strategy.

Clearly, the industry has some work to do on security while managing Kubernetes, as only 13.5% reported that they’ve “mastered” security in cloud-native environments.

The term “cloud security” has become so broad that unless we peel back the onion, it’s impossible to gauge the organization’s cybersecurity readiness, said John Yun, vice president, product strategy at ColorTokens.

Yun said many organizations focus simply on protecting VMs in the cloud, but it's clear that the industry needs a comprehensive approach. They need to execute on strategy that supports hybrid environment, as well as cloud-native, without having to work with different security providers — which further extend the security gap between the environments.

“While many predicted an increase in cloud adoption, only a few would have expected the rate we are witnessing today,” Yun said. “It's hard to find too many organizations that do not have some form of hybrid environment today. Cybersecurity solutions that can easily extend from on-premise to hybrid environments while maintaining their compliance requirements, initiatives such as zero-trust security, and micro-segmentations, are in very high demand. It all points to the significant growth of hybrid environments.”

Jerrod Piker, competitive intelligence analyst at Deep Instinct, added that once people have an understanding of the nuances of the offerings of each of the public/private/hybrid cloud providers, they must also understand how the resources communicate with each other and the outside world. On top of that, Piker said security teams must know how this relates to DevOps as well, the coding, and building of cloud-based applications and containers.

“It could take several years just to learn all there is to know about cloud computing,” Piker said. “For this reason, there are not many who have mastered cloud computing, let alone cloud security. Make no mistake, cloud security is a whole new brand, and it does not resemble traditional network or endpoint security in many ways.”

Davis McCarthy, principal security researcher at Valtix, said less than 200 of the 1,300 respondents said they were masters in cloud security. While it’s frighteningly low, when we look at the respondents' professional roles — less than 5% are in a security role.

“A developer is not a security practitioner by trade,” McCarthy said. “They might know how to write secure code, but it does not mean they are well-versed in concepts like attack surface identification, zero trust, or defense-in-depth. Because the need for cloud-native security tools is linear to the enterprise dependence on cloud-native workloads, security professionals need to get cloudy, while the users need to be steeped in security."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.