Cloud Security Study – The Good and Bad News for DevOps
June 10, 2016

Lilac Schoenbeck
Iland

IT teams are under more pressure than ever before, as they are increasingly forced to do more with less. Sound familiar? I've heard it for years, and it will likely play on an endless loop for many more. This dynamic helped give rise to the concept of DevOps, calling for teams to innovate at breakneck speeds while maintaining operational integrity.

In the face of emerging and increasingly frequent cyber threats, DevOps is evolving into DevSecOps, where security is the responsibility of every individual and engrained throughout the development process. While the concept is sound, making it a reality is going to take work.

At a fundamental level, we must take a hard look at current IT security strategies. A study conducted by leading analyst firm Enterprise Management Associates and commissioned by iland does just that, focusing specifically on cloud security. The report is entitled Blind Trust in Not a Security Strategy: Lessons from Cloud Adopters.

The study polled experienced cloud infrastructure and Disaster-Recovery-as-a-Service customers throughout North America. The results? In short – there is good news and bad news.

Let's talk about the good first:

■ Cloud has grown up and its benefits are clear. The argument no longer focuses on whether cloud should be adopted, it's about how to implement it correctly. As such, teams are focused on fortifying environments with significantly more tools than are used on-premise. In fact, 48% more security technologies are deployed in the cloud than on-premise. In light of that, it's no surprise that "security features" now tops the list of priorities companies consider when selecting a cloud provider, ahead of performance, reliability, management tools and cost.

■ IT sees cloud as an opportunity to improve security, enabling teams to leverage technology they previously did not use. After all, it's generally easier to deploy and update security technologies in the cloud than on-premise – 55 percent of respondents said cloud uses superior technology to on-premise, and 56 percent indicated that security technology is more consistently applied in cloud.

Driving the point home, when asked why they had not deployed specific security features in the cloud, respondents of the EMA survey indicated they were currently in the evaluation phase twice as often as any other reason for non-deployment, including cost, complexity, availability or that the technology was unnecessary.

■ Perhaps most promising, Business and IT finally agree that security should come before speed. For example, respondents indicated IT would rather delay a new application deployment due to security concerns than deploy it in a potentially insecure environment, and Business agrees in a nearly 3 to 1 margin. This reduced friction should pave the way for DevSecOps, as teams begin to treat each other as allies instead of problems.

But again, there's definitely room for improvement:

■ Too many cloud security strategies rest on blind trust. In fact, EMA found 47% of security personnel reported they "simply trust" their cloud providers are delivering on security agreements, rather than verify it independently or through a third party. It's important for companies to trust, but verify. Don't fall too hard for a provider's marketing, assortment of compliance logos or brand. 

■ Overall, respondents called for more assistance from their cloud providers when it comes to integrating security technology (52%), improving security reporting (49%) and improving security analytics (44%). Be sure to check out these capabilities when evaluating cloud providers. Ask for a demo and get a clear understanding of what level of support is included with the service and what costs extra.

■ There is a significant gap in IT's understanding of compliance requirements and related workloads. While 96% of security professionals acknowledge their organizations have compliance related workloads in the cloud, only 69% of IT teams identified the same. The reality is most organizations have workloads subject to corporate and/or industry compliance.

The apparent gap uncovered by the EMA study could lead to exposures for the organization if IT were to place a compliance-related workload into a non-compliant cloud provider. So what is the lesson? Again, don't put all of your faith into the compliance logos thrown onto a provider's website. Verify certificates and ask if you can speak to their compliance team. These steps give folks of all experience levels a head start in avoiding compliance pitfalls in the cloud.

In the end, it doesn't matter how innovative or nimble you are if your security is lacking. While Business and IT have made great strides in prioritizing and addressing the issues, there is work to be done. In the face of staffing shortages, resource restrictions and shrinking deadlines, teams must be able to rely on cloud providers to take on more of the heavy lifting. But they must be smart about it, resisting the temptation to blindly trust and finger point.

Lilac Schoenbeck is VP of Product Management and Marketing at iland.

Share this

Industry News

October 03, 2024

Check Point® Software Technologies Ltd. announced its position as a leader in The Forrester Wave™: Enterprise Firewalls, Q4 2024 report.

October 03, 2024

Sonar announced two new product capabilities for today’s AI-driven software development ecosystem.

October 03, 2024

Redgate announced a wide range of product updates supporting multiple database management systems (DBMS) across its entire portfolio, designed to support IT professionals grappling with today’s complex database landscape.

October 03, 2024

Elastic announced support for Google Cloud’s Vertex AI platform in the Elasticsearch Open Inference API and Playground.

October 02, 2024

Progress announced the recipients of its 2024 Women in STEM Scholarship Series.

October 02, 2024

SmartBear has integrated the load testing engine of LoadNinja into its automated testing tool, TestComplete.

October 01, 2024

Check Point® Software Technologies Ltd. announced the completion of its acquisition of Cyberint Technologies Ltd., a highly innovative provider of external risk management solutions.

October 01, 2024

Lucid Software announced a robust set of new capabilities aimed at elevating agile workflows for both team-level and program-level planning.

October 01, 2024

Perforce Software announced the Hadoop Service Bundle, a new professional services and support offering from OpenLogic by Perforce.

October 01, 2024

CyberArk announced the successful completion of its acquisition of Venafi, a provider of machine identity management, from Thoma Bravo.

October 01, 2024

Inflectra announced the launch of its AI-powered SpiraApps.

October 01, 2024

The former Synopsys Software Integrity Group has rebranded as Black Duck® Software, a newly independent application security company.

September 30, 2024

Check Point® Software Technologies Ltd. announced that it has been recognized as a Visionary in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.

September 30, 2024

Harness expanded its strategic partnership with Google Cloud, focusing on new integrations leveraging generative AI technologies.

September 30, 2024

OKX announced the launch of OKX OS, an onchain infrastructure suite.