Cloud Security Study – The Good and Bad News for DevOps
June 10, 2016

Lilac Schoenbeck
Iland

IT teams are under more pressure than ever before, as they are increasingly forced to do more with less. Sound familiar? I've heard it for years, and it will likely play on an endless loop for many more. This dynamic helped give rise to the concept of DevOps, calling for teams to innovate at breakneck speeds while maintaining operational integrity.

In the face of emerging and increasingly frequent cyber threats, DevOps is evolving into DevSecOps, where security is the responsibility of every individual and engrained throughout the development process. While the concept is sound, making it a reality is going to take work.

At a fundamental level, we must take a hard look at current IT security strategies. A study conducted by leading analyst firm Enterprise Management Associates and commissioned by iland does just that, focusing specifically on cloud security. The report is entitled Blind Trust in Not a Security Strategy: Lessons from Cloud Adopters.

The study polled experienced cloud infrastructure and Disaster-Recovery-as-a-Service customers throughout North America. The results? In short – there is good news and bad news.

Let's talk about the good first:

■ Cloud has grown up and its benefits are clear. The argument no longer focuses on whether cloud should be adopted, it's about how to implement it correctly. As such, teams are focused on fortifying environments with significantly more tools than are used on-premise. In fact, 48% more security technologies are deployed in the cloud than on-premise. In light of that, it's no surprise that "security features" now tops the list of priorities companies consider when selecting a cloud provider, ahead of performance, reliability, management tools and cost.

■ IT sees cloud as an opportunity to improve security, enabling teams to leverage technology they previously did not use. After all, it's generally easier to deploy and update security technologies in the cloud than on-premise – 55 percent of respondents said cloud uses superior technology to on-premise, and 56 percent indicated that security technology is more consistently applied in cloud.

Driving the point home, when asked why they had not deployed specific security features in the cloud, respondents of the EMA survey indicated they were currently in the evaluation phase twice as often as any other reason for non-deployment, including cost, complexity, availability or that the technology was unnecessary.

■ Perhaps most promising, Business and IT finally agree that security should come before speed. For example, respondents indicated IT would rather delay a new application deployment due to security concerns than deploy it in a potentially insecure environment, and Business agrees in a nearly 3 to 1 margin. This reduced friction should pave the way for DevSecOps, as teams begin to treat each other as allies instead of problems.

But again, there's definitely room for improvement:

■ Too many cloud security strategies rest on blind trust. In fact, EMA found 47% of security personnel reported they "simply trust" their cloud providers are delivering on security agreements, rather than verify it independently or through a third party. It's important for companies to trust, but verify. Don't fall too hard for a provider's marketing, assortment of compliance logos or brand. 

■ Overall, respondents called for more assistance from their cloud providers when it comes to integrating security technology (52%), improving security reporting (49%) and improving security analytics (44%). Be sure to check out these capabilities when evaluating cloud providers. Ask for a demo and get a clear understanding of what level of support is included with the service and what costs extra.

■ There is a significant gap in IT's understanding of compliance requirements and related workloads. While 96% of security professionals acknowledge their organizations have compliance related workloads in the cloud, only 69% of IT teams identified the same. The reality is most organizations have workloads subject to corporate and/or industry compliance.

The apparent gap uncovered by the EMA study could lead to exposures for the organization if IT were to place a compliance-related workload into a non-compliant cloud provider. So what is the lesson? Again, don't put all of your faith into the compliance logos thrown onto a provider's website. Verify certificates and ask if you can speak to their compliance team. These steps give folks of all experience levels a head start in avoiding compliance pitfalls in the cloud.

In the end, it doesn't matter how innovative or nimble you are if your security is lacking. While Business and IT have made great strides in prioritizing and addressing the issues, there is work to be done. In the face of staffing shortages, resource restrictions and shrinking deadlines, teams must be able to rely on cloud providers to take on more of the heavy lifting. But they must be smart about it, resisting the temptation to blindly trust and finger point.

Lilac Schoenbeck is VP of Product Management and Marketing at iland.

Share this