A survey of C-suite executives from Nominet has found that, for more than half of respondents, cloud security remains a concern – which becomes even more critical when multi-cloud comes in.

The study, which polled 274 CISOs, CIOs and CTOs, found 52% were at least moderately concerned about security with regards to cloud adoption. One in five respondents said they were ‘very’ concerned, compared to one in 10 who said they were not at all concerned.

Almost half (48%) of those polled said their organisation had a multi-cloud approach. Yet respondents using a multi-cloud approach were significantly more likely to have suffered a data breach – 52% affirmed this compared with only 24% of hybrid cloud users.

When it came to the specific threats organisations face, respondents were most concerned over exposure of customer data, increased threat surfaces, and improving cybercriminal sophistication.

Almost two thirds (63%) of those polled said they already outsourced certain security services to managed providers. CNI, hospitality and transport were industries less likely to outsource some of their security operations. “Most organisations are happy to outsource when it comes to security, and appear to believe the practice improves their security profile,” the report notes.

The report naturally went through the rigmaroles of cloud adoption statistics, of which a selection is presented herein. The most interesting aspect was that Google Cloud proved the most popular choice of the big clouds, with 56% saying they used it. AWS (32%), perhaps even more interestingly, finished flat last, behind Azure (36%), Oracle (44%) and IBM (49%).

88% of survey respondents said their organisation was either currently engaged in, or planning to, adopt cloud and software as a service (SaaS). 71% overall said they had adopted SaaS, compared with IaaS (60%), PaaS (30%) and business process as a service (BPaaS – 30%). A quarter of respondents said they had function as a service (FaaS) installed.

“The maturity of the cloud means that not only are businesses willing to use it for the delivery of operations and IT services, they are also embracing it for security tools and managed services,” the report notes. “And as businesses look at how the cloud can help make them more secure, ease of integration is top of mind – whether that’s with on-premise applications or other cloud services.

“The move to the cloud won’t be an all-encompassing migration,” the report adds. “Businesses will want to make the most of existing investments and only adopt cloud alternatives once these have reached the end of their product lifecycle.

“Organisations today therefore need cloud security tools that are flexible enough to secure the enterprise as it is today, and as it will be tomorrow.”

You can read the full Nominet report here (email required).

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Keumars Afifi-Sabet

Any regular reader of this publication will have noted the regularity in which the largest cloud players – Amazon Web Services (AWS), Microsoft Azure, Google Cloud et al – post solid quarterly financial results. While Wall Street may not have been happy with all of the postings, growth has remained, albeit dipping from the three figure climbs in previous years.

This hyperscaler growth has often been backed up with strong spending across hardware assets. Yet two research companies have noted a decline in the most recent quarters across their industry segments. Both have blamed downturns in China for the change, although it will by no means be an irreversible decline.

Synergy Research, a long-time cloud infrastructure market analyst, noted in August that hyperscaler capex was down 2% based on year-by-year figures. The most recent quarter saw more than $28 billion in spending.  The first quarter of this year, although nearer $25bn, followed a similar pattern. Q118’s figure was still above it, even accounting for the one-off spend of Google buying Manhattan real estate for $2.4bn.

China’s expenditure declined by 37% year on year in Q2, Synergy noted, with Alibaba, Tencent, JD.com and Baidu all reluctant to spend. All other areas saw nominal increases; the US saw the most with 5% yearly, ahead of EMEA (3%) and the rest of APAC (2%). Taking China out of the mix would see overall figures jump 4% year on year.

Synergy’s figures come from the data centre and capex footprint of 20 of the world’s largest cloud and internet service firms. The ‘big five’, in this instance Google, Amazon, Microsoft, Facebook and Apple, usually dominate.

“Usually it is the big five that dictate the scale and trends in hyperscale capex, but the drop-off in spending in China has been so marked that an otherwise strong worldwide growth story has been transformed into a modest capex decline,” said John Dinsdale, a chief analyst at Synergy.

This situation is echoed when it comes to data centre switches. According to telecom and network analyst Dell’Oro Group, ‘weakness in China’ suppressed data centre switch market growth in Q219. The decline was the first seen in five years, down to both a slowdown in spending from cloud service providers and enterprise, as well as continued uncertainty over Huawei.

“In contrast, data centre switch market revenue in North America managed to grow despite a slowdown in spending by major cloud service providers,” said Sameh Boujelbene, Dell’Oro Group senior director. “Most of the slowdown was driven by reduced server purchases while data centre switches performance well. Large enterprises also contributed to the growth in North America as they accelerated their 100 GER adoption and helped Cisco emerge as the new leader in 100 GE revenue in Q219.”

“The situation in China is likely to be a short-term phenomenon, however, as the four Chinese hyperscale operators continue to grow revenues more rapidly than their US-headquartered counterparts,” Dinsdale added. “After some short-term financial belt-tightening, we expect to see Chinese capex rise strongly once again.”

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Keumars Afifi-Sabet

In the new digital economy, data is the most valuable asset a company possesses. However, according to a recent survey by IDC, the spending ceiling for data security is as low as six per cent of the total security budget. Understandably, many information security professionals are feeling the pinch – and increasingly burning out and leaving the industry according to Goldsmiths, University of London – and companies aren’t spending enough on data security to prevent bad attackers from swiping the family silver.

At the same time, large-scale digital transformation projects continue to be high-profile news. The IDC report also found that 97 per cent of respondents were using sensitive data on new technologies as part of digital transformations, but fewer than 30 per cent were using tools, such as encryption, to keep that data secure within these environments.

This lack of security is a worrying trend when security should be included by design in digital transformation projects and implemented as early as possible in this new approach to the software development lifecycle.

Securing software

Software is eating the world; Marc Andreessen’s famous description of the need for every company to become a software business has been devoured by enterprises, but this rapid process of change has given many organisations indigestion and security headaches to boot. These investments are strategic ones, but they can often move ahead far faster than security teams can get involved.

Behind these changes, there are some bigger IT adoption trends taking place too. For example, environments have changed; many enterprises have moved from private cloud to hybrid cloud and are now embarking on multi-cloud. Our own  Modern App Report found that multi-cloud adoption had doubled year on year to around 10 per cent of companies.

Similarly, application architectures have shifted from the traditional three-tier, client-server approach to new microservices-based approaches. The technology stack is now shifting to containerised applications that are orchestrated by the likes of popular open source platforms such as Kubernetes. The responsive, flexible and scalable capabilities of these technologies has yielded significant performance and efficiency gains but it has added greater complexity.

The ephemeral nature of technologies, such as Docker and Kubernetes, has meant that the security tools used to collate data from these applications like security incident and event management (SIEM) are unable to keep pace with the rate of change taking place. Without this data and insight into your company’s applications and data, it’s simply not possible to gain insight into your security posture.

Planning out any digital transformation project should requires a thorough security needs assessment too. If done correctly, this provides a complete overview of your operating conditions and how processes operate, and it helps meet the business demands that digital transformation projects require.

Implementing a data-driven baseline as part of this process is also a vital way of protecting your enterprise. Using machine data – all the data created by all the applications, infrastructure components, cloud services and more – should supply more meaningful insights from metrics, logs and thresholds that you can evaluate in the current infrastructure and assess again once the project is live and running. 

The right DevSecOps tools

Getting this visibility around the cloud can help development, security and operations teams converge their approaches. This convergence – commonly called DevSecOps – involves making security into a continuous process that is part of the development lifecycle. This convergence can help maintain the speed of digital transformation while also ensuring security rules get followed from the start.

A DevSecOps approach differs to old delivery pipeline methods in that traditional software development priorities have not tended to address software vulnerabilities from the start. When software development relies on integrating third party programme components or publicly available images to create these services, this supply chain element becomes more important for all the teams involved.

Alongside this, there is a common assumption that DevSecOps is only about making sure that your security teams are working with developers and IT Ops teams. However, DevSecOps should go deeper than that in order to be successful. It’s an approach that sees security as code, building data protection and privacy thinking into the code itself from all stages: starting in design and architecture through to development, QA, pre-production and into production.

In practice, this means working with development teams on code is delivered in small updates and building security checks into the process so that any vulnerabilities can be spotted quickly before they go into production. This involves taking a more proactive approach that sees compliance monitoring baked in as well. This effectively positions your organisation in a constant state of audit readiness.

As you may have guessed, time-consuming manual security analysis and auditing will slow down the frequency and speed of software delivery. Automation is therefore integral to the success of DevSecOps, as areas such as threat investigation must be ongoing for any emerging threats and vulnerabilities as they are identified with code analysis. Using automated scans and analysis of data across the application, DevSecOps teams can concentrate on where they can provide the most value rather than on spending time on manual correlation of potential issues.

Empowering IT teams

The DevSecOps principles should not be seen as a silver bullet for digital projects; indeed, they are only effective with the right tools and data to power them. Implementing DevSecOps has to be based on a common approach to the applications and services involved. There will be too many interactions taking place to decipher without a unified approach for monitoring and fine-tuning operations.

Making security the responsibility of everyone across IT does mean having to manage different levels of experience around software and security. Generally, software developers don’t have the same history in looking through alerts to discern which ones are serious and should be investigated as risks, while they do have more expertise in new application design practices and how to put services together. Providing the right level of data – and making sure it can be made actionable and relevant for each team – is, therefore, something to consider as you implement your DevSecOps processes.

In a fast-paced environment, security tools that generate too many false positives can be as serious a problem as sticking with manual security testing. If too many issues come through, it can lead to “alert fatigue” and serious issues can be then be missed. By developing a baseline and monitoring alert levels, IT teams can avoid this problem. Similarly, you can automate common responses to potential conditions or threats. At the same time, data can help teams to interact in real time around real risks or potential threats in software systems as they are discovered.

Digital transformation is still gathering pace – more and more organisations are looking at how to improve their agility and keep up with competitors. However, this should not come at the cost of security. In the same way that DevOps is a fundamentally different approach to developing and delivering software, DevSecOps represents a completely different approach to making software secure. This approach is necessary if companies want to get all the potential value of their digital investments and avoid unnecessary risks.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.