Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

Cloud Leaders Sound Off on Key Challenges

$
0
0

Too many identities, systems and cooks in the kitchen cloud an already complex mandate.

More than two thirds of cloud decision-makers (68%) say their cloud deployments — particularly public and hybrid instances — are their organization’s greatest area of exposure risk. And, managing who has access to these systems poses a significant challenge.

These are the findings from a commissioned survey including 262 IT and security professionals who have the final decision-making authority for their organization’s cloud infrastructure. The survey, conducted in 2023 by Forrester Consulting on behalf of Tenable, reveals four key areas cloud decision-makers say represent their greatest areas of exposure risk:

  • Misconfigurations in the cloud infrastructure and services used throughout my organization (68%)
  • Flaws in any business/IT software used throughout my organization (62%)
  • Misconfigurations in the tools my organization uses to manage user privileges and access (60%)
  • Flaws in any operational technology software used throughout my organization (46%)

When it comes to evaluating risk exposure, the cloud far outranks other areas of IT infrastructure as a cause for concern among cloud decision-makers.

In which of the following areas is your risk exposure the highest?

Technology% respondents
Public cloud infrastructure129%
Multi-cloud / hybrid infrastructure228%
Internet of things (IoT)15%
Private cloud infrastructure11%
Cloud container management tools9%
On-premises infrastructure5%
Operational technology/industrial control system (ICS)/Supervisory Control and Data Acquisition (SCADA)3%

1 Public cloud can be a single public cloud provider, such as Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure

2 Multi-cloud / hybrid is a combination of two or more public and/or private clouds

Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture

Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable

Where are cloud decision-makers investing in the year ahead?

A wide array of cloud-based infrastructure and business systems is currently in use at most organizations, including virtual machines and containers as well as customer relationship management (CRM) and human resources management systems.

When it comes to areas of investment related to deploying technology in the cloud, respondents identified serverless functions, virtual machines and containers as the top three technology types where they plan to expand adoption in the next 12 months.

Which of the following cloud infrastructural technologies does your organization currently use?

TechnologyNot interested in cloudInterested but no plans to implement in cloudPlanning to implement in the cloud in the next 12 monthsImplemented in cloud but not expanding/upgradingExpanding or upgrading cloud usageDecreasing or removing cloud usage
Serverless functions8%21%39%24%7%0%
Virtual machines3%14%33%34%13%3%
Containers2%11%32%35%16%3%
HR management2%12%26%40%18%2%
Email2%5%25%35%26%7%
Financial3%11%25%32%24%6%
IT service management (ITSM)0%5%24%34%30%8%
Enterprise resource planning (ERP)1%4%17%37%32%9%
Customer relationship management (CRM)0%6%14%42%28%10%

Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture

Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable

Too much data, too many silos, too many stakeholders

Given the complex cloud-based ecosystem in place at most organizations, it’s no surprise that cloud findings top the list of data sources that cloud decision-makers use to determine overall risk exposure. But, cloud findings are hardly the only source. Threat intelligence feeds, vulnerability disclosures and incident-readiness assessment findings are also among the sources upon which data cloud decision-makers rely.

Which of the following data sources does your organization use to identify overall risk exposure?

Data source% respondents
Cloud findings69%
Threat intelligence feeds55%
Vulnerability disclosures52%
Incident-readiness assessment findings52%
Penetration test findings47%
External attack-surface findings42%
User profiles and privileges35%
Operational technology findings31%
Asset inventories26%

Multiple responses allowed

Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture

Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable

Aggregating all this data from multiple siloed systems is time-consuming and complicated. In fact, organizational silos, a lack of data hygiene and a focus on reactive rather than preventive cybersecurity all play a role in making cloud security a challenge. In particular:

  • Seven in 10 (70%) cloud decision-makers say their organization’s siloed systems form a barrier for obtaining user data
  • Half say their organization lacks an effective way to integrate user data into vulnerability management practices
  • More than half (55%) say the lack of hygiene in both their organization's user data and its vulnerability management systems prevents them from drawing quality data to help employees make prioritization decisions
  • Six in 10 (58%) say the cybersecurity team is too busy fighting critical incidents to take a preventive approach to reducing their organization’s exposure
  • Nearly three quarters (74%) say their organization would be more successful at defending against cyberattacks if it devoted more resources to preventive cybersecurity

Further complicating matters, the responsibility for overseeing identity and access management systems appears to be a team sport involving professionals in IT and security operations, risk and compliance and governance. A large majority of respondents (67%) have three or more identity and access management systems in place and there can be five different types of teams involved in managing these systems: IT operations (77%), security operations (61%), ID and access (53%), risk and compliance (36%), and governance (32%).

Who manages the identity and privilege management systems used at your organization?

Team% respondents
IT operations77%
Security operations61%
ID and access team53%
Risk and compliance36%
Governance32%
My organization does not have identity and privilege management systems2%
Other1%

Multiple responses allowed

Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture

Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable

In addition, most of the cloud decision-makers surveyed wear multiple hats, identifying themselves as the final decision-makers for a number of other key areas, including DevSecOps, vulnerability management and even the security operations center (SOC).

I am the final decision-maker for this practice

Practice% respondents
DevSecOps61%
Vulnerability management58%
Security operations / SOC57%
SaaS applications / tools56%
IT operations56%
Identity access / privilege management53%
DevOps53%

Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture

Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable

Yet, cybersecurity is often left out of the loop through most stages of technology deployment.

How often is your organization’s cybersecurity team engaged during the following stages of deployment?

StageNeverRarelySometimesMost of the timeAll of the time
Architecture review1%10%38%35%15%
Scoping2%16%41%32%9%
Request for proposal (RFP)3%10%31%35%21%
Vendor evaluation / proof of concept (PoC)2%10%33%31%24%
Configuration and deployment0%5%27%42%26%
User privilege and access management0%2%23%38%35%
Ongoing vendor management and maintenance1%9%27%40%23%
Governance and exception management1%11%21%45%22%

Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture

Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable

DevOps is another area of concern for cloud decision-makers: four in 10 (42%) say their organization's DevOps team does not prioritize security in its code development process.

More about the respondents

Survey respondents represent cloud decision-makers working in IT (65%) and cybersecurity (35%). They’re more likely to be VPs or directors rather than C-level executives. They’re very involved in IT and security strategy.

Which of the following best describes your current position/department?

Position/department% respondents
IT65%
Cybersecurity / infosec35%

Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture

Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable

Which title best describes your position at your organization?

Title% respondents
Senior-most IT or security decision-maker in the firm (e.g., CIO, CISO, CTO)22%
Business Information Security Officer (BISO)3%
VP in IT or security40%
Director in IT or security35%

Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture

Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable

To what extent are you involved with setting, managing and/or implementing the following areas of your IT/SECURITY strategy at your organization?

AreaMarginally involvedModerately involvedVery involved
Budget1%45%53%
Performance metrics0%40%59%
Business strategies0%48%52%

Base: 262 IT and security pros with final decision-making authority for their organization’s cloud infrastructure/architecture

Source: A commissioned study conducted in 2023 by Forrester Consulting on behalf of Tenable

Four recommendations for reducing cloud security risk

Securing your complex cloud infrastructure requires addressing a variety of people, process and technology challenges. Here are four recommendations to get you started:

  • Dismantle silos. Develop a plan to standardize cloud security across various business units, providing a single point of reference that can be used by teams in security, IT, DevOps and DevSecOps. Can you quickly determine the relationships among users, systems and assets across your organization, so you can realistically identify and address their exposure? Or, do your siloed systems form a barrier that stops you from effectively integrating such data into your cloud security practices? Standardization can help to minimize friction between IT, security and dev teams and ensure swift decision-making based on accurate recommendations that everyone can comprehend.
  • Visually map your attack surface. Knowing which cloud assets you have is just the beginning. You need visibility into the configurations, digital identities and associated permissions for each asset on your network. Only with a contextual view of assets, configurations and identities can you achieve the visibility necessary to perform the kind of precise analysis that enables security teams to offer targeted recommendations to reduce risk.
  • Address multi-cloud challenges. Each major public cloud provider — Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure — manages and configures cloud components differently, resulting in inconsistencies in continuous security monitoring. Aim to consolidate information from all your public cloud providers into a unified monitoring and management space. This requires understanding the diverse mechanisms at play, including the infrastructure of the cloud provider and the permissions model, and can help you lay the groundwork for consolidated and precise remediation recommendations.
  • Seek automated solutions. Automated cloud security solutions can help you continuously analyze your organization’s exposure to risk and present findings in an easy, consumable and actionable way, without requiring deep technical know-how on the part of teams. Automated security tools provide teams with the ability to understand, investigate and navigate risk amid the complexity. With the right automated solution, you can: gain full visibility into your cloud assets, users and configurations; consolidate information from all public cloud providers into a unified monitoring and management space; and prioritize and remediate based on risk severity. Automation can act as a force-multiplier for resource-starved security teams.

When searching for the right cloud security solutions, organizations should focus on those that reduce complexity and risk. The right cloud security solutions should be user-friendly and standardize cloud security across various business units. A robust solution serves as an advisor, offering insights into vulnerabilities or misconfigurations requiring immediate attention. It also delivers contextually rich risk prioritization and actionable insights for informed decision-making about mitigation and tools to automate and accelerate remediation.


Viewing all articles
Browse latest Browse all 1935

Trending Articles