Cloud Security

‘One of the key issues is a lack of experience’: Security teams struggle amid shift to cloud

Seen here, a light artwork called Cloud at a light festival in Durham, England. (Photo by Ian Forsyth/Getty Images)

Most organizations know that cloud computing will comprise the majority of their future business-technology systems. The problem is they’re not quite sure what that looks like yet.

And while many organiza­tions are a decade or more into getting their feet wet with cloud, they’re still trying to figure out how to manage and secure these systems, according to findings of a survey of security leaders conducted by CRA Business Intelligence. Indeed, as cloud-based assets/workloads increase, 50% of respondents were very concerned about their ability to secure their cloud systems, with 72% “extremely” or “very concerned.”

Click here to download the full report.

The data and insights in CRA’s new cloud report are based on an online survey con­ducted by CRA Business Intelligence in April 2022 among 303 security leaders and practitioners in the U.S. The survey was sponsored by Invicti and Bishop Fox.

Among the themes that emerged from the findings was a sense that organizations are still trying to assess security strategies even as transitions take place, often learning lessons from incidents that occur in the process.

“Attackers from outside our organization breached our cloud and tried to steal sensitive information about developing products,” said one respondent. “We stopped the attack by shutting down the server, reconfiguring the firewall, and replacing all the tokens.”

Here are some other high-level findings:

  • Cloud attacks on the rise. Thirty-seven percent of respondents reported their organization expe­rienced one or more cloud-based attacks or breaches in the last two years. On average, victims experienced an average of four cloud-based attacks since 2020.
  • Workloads in the cloud are growing. The number of cloud assets/workloads has grown among companies, with 55% of respondents running up to 50 assets/workloads in the public cloud and 56% putting up to 50 assets on hosted clouds, or about an average of 66 assets in either public or hosted clouds.
  • Companies face similar security concerns. When it comes to the top data security concerns in the cloud, respon­dents cite the following: lack of detection/response, compromised users, misconfiguration, and inability to monitor changes within cloud environments.

Public clouds most prone to attacks

Although 38% of respondents say their organization suffered a cloud attack or breach in the past two years, many report they were compromised on both their hosted and public cloud environments. The vast majority (84%) experienced attacks on their public cloud and 56% were impacted in their hosted cloud environments.

According to Top Threats to Cloud Computing from the Cloud Security Alliance, cloud attacks are largely caused by the lack of visibility and control into hosted and public clouds, including misconfigurations, poor change control, lack of strategic cloud security architecture, and a weak control plane. Others are tied to identity man­agement problems, such as account highjacking and insufficient identity, credential, and access/key management.

“I think one of the key issues is a lack of experience and knowledge for the internal teams,” said another respondent. “We have to rely on the expertise of consultants and then attempt to build our own skillsets through new hires or on-hand experience.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.