Threat Intelligence

9/18/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

The Security Costs of Cloud-Native Applications

More than 60% of organizations report the bulk of new applications are built in the cloud. What does this mean for security?

Businesses are increasingly reliant on cloud-native applications despite the strong, broad perception that use of the cloud will drive security risks. So, where are the security gaps and which issues are top of mind?

The data comes from "The State of Cloud Native Security," a new study sponsored by Capsule8, Duo Security, and Signal Sciences. Researchers polled 486 senior-level decision makers and security pros from companies generating at least $250 million (50%) or at least $1 billion (50%) in revenue across eight industries, including financial services, tech, education, retail, government, nonprofits, manufacturing, and transportation.

They found 62% of companies rely on cloud-native applications (CNAs) for more than half of their apps, a figure predicted to hit 80% over the next three years. More than half of respondents believe CNAs increase their risk and view security as a barrier for adoption.

Visibility into cyberattacks is one security concern at top of mind: 73% of respondents say they lack actionable insight into threats and ongoing attacks. At a network level, poor visibility leads to spurious alerts, explains Capsule8 CEO John Viega. And as cyberattacks increase, so does the rise of security notifications: Only about one-third of businesses surveyed could addresses more than 75% of alerts their company receives.

False positives are another key issue plaguing IT and security environments: 46% of respondents say more than half of production environment alerts were false positives. Poor analytics is the top driver of false positives, according to nearly half of security and IT experts polled.

Employees in more traditional environments "throw algorithms at the problem" and try to gather and process more data as a means of improving threat detection, Viega explains.

However, in a cloud-native environment, "we're finding the biggest wins come from first improving the quality of the data before you improve the algorithms," he says. Instead of evaluating massive amounts of traffic at high speed, companies using CNAs have access to the cloud provider's API and can analyze data in a way that won't affect system performance.

As cloud infrastructure and applications take on a bigger role in production environments, security becomes a greater priority. The biggest concerns here are malware on servers (32%), targeted attacks from known threat actors (17%), and zero-day attacks (12%).

Nearly half (48%) of respondents say an attack has done damage to production environments, resulting in system damage (48%), loss of customer data (44%), and loss of financial data (31%).

Motivating the Move to Cloud
Researchers pointed to three primary drivers for the move to cloud-native apps: nearly 40% of respondents say they're "modernizing the most critical parts of the business." Thirty-one percent cite new software development, stating this is the way software is built now, and 29% report operational cost savings.

The larger the organization, the more likely it will rely on cloud-native apps for new deployments. For example, 55% of companies with $250 million to $499 million in revenue have most of their new apps running as cloud native. That number jumps to 60% for companies with $500 million to $999 million in revenue, 63% for those with $1 billion to $4.9 billion in revenue, and 71% for those with $5 billion to $9.9 billion in revenue.

However, that's where things take a turn. Businesses with more than $20 billion in annual revenue are "a bit more on the conservative side," experts report. Only 61% deploy more than half of their applications as cloud native; 23% use less than a quarter cloud-native apps.

CNA usage also varies by industry. Government institutions, for example, are least likely to extensively use them, and only 46% report the majority of their new apps are native to the cloud. On the other side of the spectrum are education, which reports 70% reliance on CNAs, along with financial services and technology (67% each), and 65% of retail companies.

"The people who are leading are not regulated and build a lot of software," Viega points out, using media companies and tech companies that grew up in the cloud as examples. Businesses in regulated environments tend to move less mission-critical applications to the cloud first.

"For a large financial institution, the consumer-facing platform might be one of the last things to go because that will get a tremendous amount of oversight," he says as an example.

Rethinking Security
Companies polled experienced at least twice as many cyberattacks this year compared with last year, researchers found. Viega says the increase isn't necessarily due to cloud.

"In many respects, the bad guys are the same and using the same techniques," he explains. Fifteen years ago, applications were made up of 90% custom code and 10% open source — today, it's about 80% to 90% open source and a little bit of custom code. This "definitely changes the equation a bit," he adds, as it gives the attacker more visibility into what he might exploit, regardless of whether an application is running in the cloud or not.

He advises companies to rethink security as they adopt cloud and not to "lift and shift" the way they do security in their traditional environments. You'll find it doesn't give scalability and cost-effectiveness, he says. In fact, fitting "a square peg in a round hole" can worsen security.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.