Cloud security woes strike again – and it’s double trouble for multi-cloud users, research finds

A survey of C-suite executives from Nominet has found that, for more than half of respondents, cloud security remains a concern – which becomes even more critical when multi-cloud comes in.

The study, which polled 274 CISOs, CIOs and CTOs, found 52% were at least moderately concerned about security with regards to cloud adoption. One in five respondents said they were ‘very’ concerned, compared to one in 10 who said they were not at all concerned.

Almost half (48%) of those polled said their organisation had a multi-cloud approach. Yet respondents using a multi-cloud approach were significantly more likely to have suffered a data breach – 52% affirmed this compared with only 24% of hybrid cloud users.

When it came to the specific threats organisations face, respondents were most concerned over exposure of customer data, increased threat surfaces, and improving cybercriminal sophistication.

Almost two thirds (63%) of those polled said they already outsourced certain security services to managed providers. CNI, hospitality and transport were industries less likely to outsource some of their security operations. “Most organisations are happy to outsource when it comes to security, and appear to believe the practice improves their security profile,” the report notes.

The report naturally went through the rigmaroles of cloud adoption statistics, of which a selection is presented herein. The most interesting aspect was that Google Cloud proved the most popular choice of the big clouds, with 56% saying they used it. AWS (32%), perhaps even more interestingly, finished flat last, behind Azure (36%), Oracle (44%) and IBM (49%).

88% of survey respondents said their organisation was either currently engaged in, or planning to, adopt cloud and software as a service (SaaS). 71% overall said they had adopted SaaS, compared with IaaS (60%), PaaS (30%) and business process as a service (BPaaS – 30%). A quarter of respondents said they had function as a service (FaaS) installed.

“The maturity of the cloud means that not only are businesses willing to use it for the delivery of operations and IT services, they are also embracing it for security tools and managed services,” the report notes. “And as businesses look at how the cloud can help make them more secure, ease of integration is top of mind – whether that’s with on-premise applications or other cloud services.

“The move to the cloud won’t be an all-encompassing migration,” the report adds. “Businesses will want to make the most of existing investments and only adopt cloud alternatives once these have reached the end of their product lifecycle.

“Organisations today therefore need cloud security tools that are flexible enough to secure the enterprise as it is today, and as it will be tomorrow.”

You can read the full Nominet report here (email required). in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

CISOs now say cloud technology is ‘just as safe’ as on-prem

Keumars Afifi-Sabet

4 Sep, 2019

The majority of security professionals now consider single-cloud technology to be just as safe, if not safer, than on-premise storage – while multi-cloud environments are deemed the riskiest setups, according to research. 

Cloud technology has seen an explosion in adoption rates among businesses in recent years but has been traditionally considered a riskier option for businesses than on-premise storage.

The majority (61%) of chief information security officers (CISOs), however, have indicated that while security concerns remain, businesses running single-cloud configurations are at no more risk than they would be powering their organisations through on-premise data centres.

There’s also a strong appetite for cloud adoption, with 88% of respondents to a Nominet survey reporting their organisations are either currently engaging in, or have plans to, adopting Software as a Service (SaaS) products.

The research questioned almost 300 CISOs, CTOs and CIOs from large organisations with more than 2,500 employees directly responsible for overseeing cyber security practices.

Some 71% of respondents said they were either moderately, very or extremely concerned with the risk of cyber attack in cloud technology, but these concerns are generally matched by anxieties with on-premise systems.

Interestingly, US respondents were almost twice as likely than CISOs based in the UK to suggest they were “extremely concerned” – 21% versus 13%. This could be based on a host of reasons, including differing compliance regimes, threat landscapes and media coverage of security breaches, the report suggested.

“Security has traditionally always been cited as a barrier to cloud adoption, so it is significant that the perceived risk gap between cloud and on-premise has disappeared,” said Stuart Reed Nominet’s vice president of cyber security.

“It is evident that security concerns are no longer an insurmountable barrier to cloud deployments given the high adoption rate of cloud services.”

Cloud infrastructure is becoming a major funding priority as IT leaders strive towards organisational change. Find out why in this whitepaper.

Download now

He added: “And, as we move into the ‘cloud era’, arguably security teams need to channel their concern into finding solutions that work with the cloud, just as they have been doing in an on-premise environment.”

Adopting a multi-cloud approach, meanwhile, is generally seen as more risk than hybrid and single-cloud approaches.

CISOs adopting such a configuration within their organisations were twice as likely to have suffered a data breach over the past 12 months; 52% versus 24% of single-cloud and hybrid-cloud users.

Organisations adopting a multi-cloud approach were also found to generally suffer a greater number of data breaches, with 69% of respondents reporting 11-30 breaches compared with 19% for single-cloud adopters and 13% for hybrid cloud adopters.

“When it comes to ensuring resilience and being able to source ‘best-in-class’ services, using multiple vendors makes sense,” Reed continued.

“However, from a security perspective, the muti-cloud approach also increases exposure to risk as there are a greater number of parties handling an organisation’s sensitive data.

“This is exactly why an eye must be kept on integration and a concerted effort be made to gain the visibility needed to counter threats across all different types of environments.”

There is a downturn in cloud and data centre infrastructure spending – and China is causing it

Any regular reader of this publication will have noted the regularity in which the largest cloud players – Amazon Web Services (AWS), Microsoft Azure, Google Cloud et al – post solid quarterly financial results. While Wall Street may not have been happy with all of the postings, growth has remained, albeit dipping from the three figure climbs in previous years.

This hyperscaler growth has often been backed up with strong spending across hardware assets. Yet two research companies have noted a decline in the most recent quarters across their industry segments. Both have blamed downturns in China for the change, although it will by no means be an irreversible decline.

Synergy Research, a long-time cloud infrastructure market analyst, noted in August that hyperscaler capex was down 2% based on year-by-year figures. The most recent quarter saw more than $28 billion in spending.  The first quarter of this year, although nearer $25bn, followed a similar pattern. Q118’s figure was still above it, even accounting for the one-off spend of Google buying Manhattan real estate for $2.4bn.

China’s expenditure declined by 37% year on year in Q2, Synergy noted, with Alibaba, Tencent, and Baidu all reluctant to spend. All other areas saw nominal increases; the US saw the most with 5% yearly, ahead of EMEA (3%) and the rest of APAC (2%). Taking China out of the mix would see overall figures jump 4% year on year.

Synergy’s figures come from the data centre and capex footprint of 20 of the world’s largest cloud and internet service firms. The ‘big five’, in this instance Google, Amazon, Microsoft, Facebook and Apple, usually dominate.

“Usually it is the big five that dictate the scale and trends in hyperscale capex, but the drop-off in spending in China has been so marked that an otherwise strong worldwide growth story has been transformed into a modest capex decline,” said John Dinsdale, a chief analyst at Synergy.

This situation is echoed when it comes to data centre switches. According to telecom and network analyst Dell’Oro Group, ‘weakness in China’ suppressed data centre switch market growth in Q219. The decline was the first seen in five years, down to both a slowdown in spending from cloud service providers and enterprise, as well as continued uncertainty over Huawei.

“In contrast, data centre switch market revenue in North America managed to grow despite a slowdown in spending by major cloud service providers,” said Sameh Boujelbene, Dell’Oro Group senior director. “Most of the slowdown was driven by reduced server purchases while data centre switches performance well. Large enterprises also contributed to the growth in North America as they accelerated their 100 GER adoption and helped Cisco emerge as the new leader in 100 GE revenue in Q219.”

“The situation in China is likely to be a short-term phenomenon, however, as the four Chinese hyperscale operators continue to grow revenues more rapidly than their US-headquartered counterparts,” Dinsdale added. “After some short-term financial belt-tightening, we expect to see Chinese capex rise strongly once again.” in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Firefox now blocks third-party trackers by default

Keumars Afifi-Sabet

3 Sep, 2019

The desktop version of Firefox will block cookies and cryptocurrency mining by default as part of sweeping changes to the web browser aimed at safeguarding user privacy.

Mozilla will enforce Enhanced Tracking Protection (ETP) as standard practice for all users as part of the default Firefox configuration, from today, and will block known third-party tracking cookies, the company has announced.

The cookies will be cross-referenced with the ‘Disconnect’ list of known third-party trackers that comprise websites that collect and retain data regarding users’ activity across multiple sites or applications.

This feature has been widely-anticipated since Mozilla outlined its plans in January, and has been available for new users since June this year. The feature now, however, concerns a fresh approach to anti-tracking the firm outlined recently based on testing and revision.

Mozilla also previously teased a subscription-based version of Firefox with additional privacy-centric features, which also reportedly featured ETP available as standard.

“Currently over 20% of Firefox users have Enhanced Tracking Protection on. With today’s release, we expect to provide protection for 100% of our users by default,” Mozilla said.

“Enhanced Tracking Protection works behind-the-scenes to keep a company from forming a profile of you based on their tracking of your browsing behaviour across websites – often without your knowledge or consent.

“Those profiles and the information they contain may then be sold and used for purposes you never knew or intended. Enhanced Tracking Protection helps to mitigate this threat and puts you back in control of your online experience.”

The ETP functionality will also work in the background to prevent illicit cryptocurrency mining scripts from draining users’ CPU usage and battery power on their devices. This feature has existed in previous beta versions of Firefox but is now available as standard to all.

Users will know ETP is switched on by the appearance of a purple shield icon in the far-left corner of their address bar. This will show when users visit websites on which third-party tracking cookies are being actively blocked.

Firefox will also block fingerprinting scripts – which harvest a sampling of details from users’ devices when visiting a particular website – by default. This snapshot of information can then be used to track users across the web.

Users can block fingerprinting scripts if they turn on ‘strict mode’, with Mozilla also suggesting this protection will be bundled into the default settings in future releases.

Putting data security at the heart of digital transformation – from culture to code

In the new digital economy, data is the most valuable asset a company possesses. However, according to a recent survey by IDC, the spending ceiling for data security is as low as six per cent of the total security budget. Understandably, many information security professionals are feeling the pinch – and increasingly burning out and leaving the industry according to Goldsmiths, University of London – and companies aren’t spending enough on data security to prevent bad attackers from swiping the family silver.

At the same time, large-scale digital transformation projects continue to be high-profile news. The IDC report also found that 97 per cent of respondents were using sensitive data on new technologies as part of digital transformations, but fewer than 30 per cent were using tools, such as encryption, to keep that data secure within these environments.

This lack of security is a worrying trend when security should be included by design in digital transformation projects and implemented as early as possible in this new approach to the software development lifecycle.

Securing software

Software is eating the world; Marc Andreessen’s famous description of the need for every company to become a software business has been devoured by enterprises, but this rapid process of change has given many organisations indigestion and security headaches to boot. These investments are strategic ones, but they can often move ahead far faster than security teams can get involved.

Behind these changes, there are some bigger IT adoption trends taking place too. For example, environments have changed; many enterprises have moved from private cloud to hybrid cloud and are now embarking on multi-cloud. Our own  Modern App Report found that multi-cloud adoption had doubled year on year to around 10 per cent of companies.

Similarly, application architectures have shifted from the traditional three-tier, client-server approach to new microservices-based approaches. The technology stack is now shifting to containerised applications that are orchestrated by the likes of popular open source platforms such as Kubernetes. The responsive, flexible and scalable capabilities of these technologies has yielded significant performance and efficiency gains but it has added greater complexity.

The ephemeral nature of technologies, such as Docker and Kubernetes, has meant that the security tools used to collate data from these applications like security incident and event management (SIEM) are unable to keep pace with the rate of change taking place. Without this data and insight into your company’s applications and data, it’s simply not possible to gain insight into your security posture.

Planning out any digital transformation project should requires a thorough security needs assessment too. If done correctly, this provides a complete overview of your operating conditions and how processes operate, and it helps meet the business demands that digital transformation projects require.

Implementing a data-driven baseline as part of this process is also a vital way of protecting your enterprise. Using machine data – all the data created by all the applications, infrastructure components, cloud services and more – should supply more meaningful insights from metrics, logs and thresholds that you can evaluate in the current infrastructure and assess again once the project is live and running. 

The right DevSecOps tools

Getting this visibility around the cloud can help development, security and operations teams converge their approaches. This convergence – commonly called DevSecOps – involves making security into a continuous process that is part of the development lifecycle. This convergence can help maintain the speed of digital transformation while also ensuring security rules get followed from the start.

A DevSecOps approach differs to old delivery pipeline methods in that traditional software development priorities have not tended to address software vulnerabilities from the start. When software development relies on integrating third party programme components or publicly available images to create these services, this supply chain element becomes more important for all the teams involved.

Alongside this, there is a common assumption that DevSecOps is only about making sure that your security teams are working with developers and IT Ops teams. However, DevSecOps should go deeper than that in order to be successful. It’s an approach that sees security as code, building data protection and privacy thinking into the code itself from all stages: starting in design and architecture through to development, QA, pre-production and into production.

In practice, this means working with development teams on code is delivered in small updates and building security checks into the process so that any vulnerabilities can be spotted quickly before they go into production. This involves taking a more proactive approach that sees compliance monitoring baked in as well. This effectively positions your organisation in a constant state of audit readiness.

As you may have guessed, time-consuming manual security analysis and auditing will slow down the frequency and speed of software delivery. Automation is therefore integral to the success of DevSecOps, as areas such as threat investigation must be ongoing for any emerging threats and vulnerabilities as they are identified with code analysis. Using automated scans and analysis of data across the application, DevSecOps teams can concentrate on where they can provide the most value rather than on spending time on manual correlation of potential issues.

Empowering IT teams

The DevSecOps principles should not be seen as a silver bullet for digital projects; indeed, they are only effective with the right tools and data to power them. Implementing DevSecOps has to be based on a common approach to the applications and services involved. There will be too many interactions taking place to decipher without a unified approach for monitoring and fine-tuning operations.

Making security the responsibility of everyone across IT does mean having to manage different levels of experience around software and security. Generally, software developers don’t have the same history in looking through alerts to discern which ones are serious and should be investigated as risks, while they do have more expertise in new application design practices and how to put services together. Providing the right level of data – and making sure it can be made actionable and relevant for each team – is, therefore, something to consider as you implement your DevSecOps processes.

In a fast-paced environment, security tools that generate too many false positives can be as serious a problem as sticking with manual security testing. If too many issues come through, it can lead to “alert fatigue” and serious issues can be then be missed. By developing a baseline and monitoring alert levels, IT teams can avoid this problem. Similarly, you can automate common responses to potential conditions or threats. At the same time, data can help teams to interact in real time around real risks or potential threats in software systems as they are discovered.

Digital transformation is still gathering pace – more and more organisations are looking at how to improve their agility and keep up with competitors. However, this should not come at the cost of security. In the same way that DevOps is a fundamentally different approach to developing and delivering software, DevSecOps represents a completely different approach to making software secure. This approach is necessary if companies want to get all the potential value of their digital investments and avoid unnecessary risks. in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.