Cloud Security Study – The Good and Bad News for DevOps
June 10, 2016

Lilac Schoenbeck
Iland

IT teams are under more pressure than ever before, as they are increasingly forced to do more with less. Sound familiar? I've heard it for years, and it will likely play on an endless loop for many more. This dynamic helped give rise to the concept of DevOps, calling for teams to innovate at breakneck speeds while maintaining operational integrity.

In the face of emerging and increasingly frequent cyber threats, DevOps is evolving into DevSecOps, where security is the responsibility of every individual and engrained throughout the development process. While the concept is sound, making it a reality is going to take work.

At a fundamental level, we must take a hard look at current IT security strategies. A study conducted by leading analyst firm Enterprise Management Associates and commissioned by iland does just that, focusing specifically on cloud security. The report is entitled Blind Trust in Not a Security Strategy: Lessons from Cloud Adopters.

The study polled experienced cloud infrastructure and Disaster-Recovery-as-a-Service customers throughout North America. The results? In short – there is good news and bad news.

Let's talk about the good first:

■ Cloud has grown up and its benefits are clear. The argument no longer focuses on whether cloud should be adopted, it's about how to implement it correctly. As such, teams are focused on fortifying environments with significantly more tools than are used on-premise. In fact, 48% more security technologies are deployed in the cloud than on-premise. In light of that, it's no surprise that "security features" now tops the list of priorities companies consider when selecting a cloud provider, ahead of performance, reliability, management tools and cost.

■ IT sees cloud as an opportunity to improve security, enabling teams to leverage technology they previously did not use. After all, it's generally easier to deploy and update security technologies in the cloud than on-premise – 55 percent of respondents said cloud uses superior technology to on-premise, and 56 percent indicated that security technology is more consistently applied in cloud.

Driving the point home, when asked why they had not deployed specific security features in the cloud, respondents of the EMA survey indicated they were currently in the evaluation phase twice as often as any other reason for non-deployment, including cost, complexity, availability or that the technology was unnecessary.

■ Perhaps most promising, Business and IT finally agree that security should come before speed. For example, respondents indicated IT would rather delay a new application deployment due to security concerns than deploy it in a potentially insecure environment, and Business agrees in a nearly 3 to 1 margin. This reduced friction should pave the way for DevSecOps, as teams begin to treat each other as allies instead of problems.

But again, there's definitely room for improvement:

■ Too many cloud security strategies rest on blind trust. In fact, EMA found 47% of security personnel reported they "simply trust" their cloud providers are delivering on security agreements, rather than verify it independently or through a third party. It's important for companies to trust, but verify. Don't fall too hard for a provider's marketing, assortment of compliance logos or brand. 

■ Overall, respondents called for more assistance from their cloud providers when it comes to integrating security technology (52%), improving security reporting (49%) and improving security analytics (44%). Be sure to check out these capabilities when evaluating cloud providers. Ask for a demo and get a clear understanding of what level of support is included with the service and what costs extra.

■ There is a significant gap in IT's understanding of compliance requirements and related workloads. While 96% of security professionals acknowledge their organizations have compliance related workloads in the cloud, only 69% of IT teams identified the same. The reality is most organizations have workloads subject to corporate and/or industry compliance.

The apparent gap uncovered by the EMA study could lead to exposures for the organization if IT were to place a compliance-related workload into a non-compliant cloud provider. So what is the lesson? Again, don't put all of your faith into the compliance logos thrown onto a provider's website. Verify certificates and ask if you can speak to their compliance team. These steps give folks of all experience levels a head start in avoiding compliance pitfalls in the cloud.

In the end, it doesn't matter how innovative or nimble you are if your security is lacking. While Business and IT have made great strides in prioritizing and addressing the issues, there is work to be done. In the face of staffing shortages, resource restrictions and shrinking deadlines, teams must be able to rely on cloud providers to take on more of the heavy lifting. But they must be smart about it, resisting the temptation to blindly trust and finger point.

Lilac Schoenbeck is VP of Product Management and Marketing at iland.

Share this

Industry News

February 02, 2023

Red Hat announced a multi-stage alliance to offer customers a greater choice of operating systems to run on Oracle Cloud Infrastructure (OCI).

February 02, 2023

Snow Software announced a new global partner program designed to enable partners to support customers as they face complex market challenges around managing cost and mitigating risk, while delivering value more efficiently and effectively with Snow.

February 02, 2023

Contrast Security announced the launch of its new partner program, the Security Innovation Alliance (SIA), which is a global ecosystem of system integrators (SIs), cloud, channel and technology alliances.

February 01, 2023

Red Hat introduced new security and compliance capabilities for the Red Hat OpenShift enterprise Kubernetes platform.

February 01, 2023

Jetpack.io formally launched with Devbox Cloud, a managed service offering for Devbox.

February 01, 2023

Jellyfish launched Life Cycle Explorer, a new solution that identifies bottlenecks in the life cycle of engineering work to help teams adapt workflow processes and more effectively deliver value to customers.

January 31, 2023

Ably announced the Ably Terraform provider.

January 31, 2023

Checkmarx announced the immediate availability of Supply Chain Threat Intelligence, which delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, malicious behavior and more.

January 31, 2023

Qualys announced its new GovCloud platform along with the achievement of FedRAMP Ready status at the High impact level, from the Federal Risk and Authorization Management Program (FedRAMP).

January 30, 2023

F5 announced the general availability of F5 NGINXaaS for Azure, an integrated solution co-developed by F5 and Microsoft that empowers enterprises to deliver secure, high-performance applications in the cloud.

January 30, 2023

Tenable announced Tenable Ventures, a corporate investment program.

January 26, 2023

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available.

January 26, 2023

Mirantis, freeing developers to create their most valuable code, today announced that it has acquired the Santa Clara, California-based Shipa to add automated application discovery, operations, security, and observability to the Lens Kubernetes Platform.

January 25, 2023

SmartBear has integrated the powerful contract testing capabilities of PactFlow with SwaggerHub.

January 25, 2023

Venafi introduced TLS Protect for Kubernetes.