How the changing security landscape is forcing cloud providers to respond

The RSA Conference in San Francisco is a hotbed of news, analysis and reports on the security industry, with research from the Cloud Security Alliance (CSA) and automation software provider Sonatype being of particular interest.

The CSA report, State of Cloud Security 2018, assesses the steps cloud providers and enterprises are taking when it comes to security, as well as regulation and the changing threat landscape.

The report notes that as the landscape for cloud services expands, so do the security options with it. Infrastructure as a service (IaaS) overlaps with platform as a service (PaaS), while serverless enables the hardware and software to be decoupled, and the software as a service market (SaaS) also expands. The rise of cloud access security broker (CASB) providers, and managed security services, is a sign that organisational security goes beyond the traditional corporate perimeter.

Regarding the role providers have to play, the report warns around the evolving landscape. “Training videos and manuals may not be enough as enterprises are using multiple cloud services and can’t keep up,” the report explains. “To help enterprises battle against the technology sprawl of features, the aim needs to be towards safe and secure default configurations and ensuring the proper use of new features.

“Any breach of a service, even due to user error, can negatively impact customer trust and reliability of a product,” the report adds. “User interface and behaviour should be just as important as the features themselves.”

The report concludes that, ultimately, technology moves faster than the business’ skills to adopt them, and the dreaded cloud skills gap needs to be met head on by the industry through partnership and collaboration.

Vinay Patel, managing director at Citigroup and chair of the CSA Global Enterprise Advisory Board, said that cloud security remained a ‘work in progress’. “It is incumbent upon the cloud user community to collaborate and speak with an amplified voice to ensure that their key security issues are heard and addressed,” he said.

“We hope this document will serve as a roadmap to developing best practices in the establishment of baseline security requirements needed to protect organisational data,” Patel added.

Elsewhere, a report from Sonatype concluded that organisations with mature DevOps practices were significantly more likely to integrate automated security than firms with no DevOps practice. More than three quarters of mature DevOps organisations have open source policies in place, with greater adherence than those without, while nine in 10 (88%) with mature DevOps practices are investing in application security training.

You can read the CSA report here (registration required) and the Sonatype report here (registration required).