As more workloads are deployed in the cloud, it’s become increasingly apparent that most organizations are struggling with security.
A recent survey of 400 cloud engineering and security practitioners and leaders by the market research firm, Propeller Insights on behalf of Snyk, a provider of tools for discovering vulnerabilities in software, found that 80 percent have experienced at least one major cloud security incident in the past year.
The most common experiences reported by survey respondents were misconfigurations (34 percent) followed closely by an actual data breach (33 percent), an intrusion (27 percent) and a cloud data leak (26 percent). More troubling still, well over half (58 percent) said they believe the risk of a cloud data breach at their organization will only increase over the next year. A quarter (25 percent) worry they’ve recently suffered a cloud data breach that they are unaware has occurred.
Further, nearly half (45 percent) cited demand for engineering resources as the biggest impact of inefficient cloud security. And more than three quarters (77 percent) cited problems with poor training and collaboration as a major challenge and 41 percent noted that emerging cloud native services will only make security that much more complex.
Longer term, the hope is that as more responsibility for security is shifted left toward application developers, there will be a general improvement in the security of cloud computing environments. The trouble is most cloud computing infrastructure is programmatically provisioned by developers that have little to no cybersecurity expertise. In general, security was an elective that most developers never bothered to take and not surprisingly, it’s easy for a developer to make a mistake.
More organizations are starting to adopt best DevSecOps practices that embed guardrails within the application development process to ensure those mistakes are not made. The goal should be to enable developers to deploy secure cloud applications without having to materially slow down the rate at which those applications are built. Reliance on infrastructure-as-code (IaC) tools that have guardrails in place can deliver a 70 percent median reduction in cloud misconfigurations, the survey finds.
The survey makes it clear that cloud security is a major challenge and therein lies the opportunity for managed service providers. The tools and processes employed to secure on-premises IT environments are simply not applicable to the cloud. The simple truth is most organizations simply don’t have a lot of hands-on experience with cloud security. MSPs that have that expertise are now worth their proverbial weight in gold as the level of cloud risk continues to expand.
The challenge, of course, is most organizations are now using at least two cloud computing platforms. Despite the efforts of cloud service providers to entice organizations to sign enterprise licensing agreements, the decision concerning which workload to run where is still being primarily made by application development teams that have determined that certain classes of workloads run better on one cloud service than another. Naturally, the more cloud platforms employed, the more difficult the cloud security challenge becomes.
Arguably, MSPs are going to eventually generate more profits from securing workloads than helping organizations provision them so they might want to shift their cloud focus. It’s still important to make that initial engagement as early as possible, but when it comes to generating high-margin revenue there is nothing quite as potentially valuable to an MSP that is prepared to rise to the challenge than cloud security.
Photo: alice-photo / Shutterstock