Cloud Security Study – The Good and Bad News for DevOps
June 10, 2016

Lilac Schoenbeck
Iland

IT teams are under more pressure than ever before, as they are increasingly forced to do more with less. Sound familiar? I've heard it for years, and it will likely play on an endless loop for many more. This dynamic helped give rise to the concept of DevOps, calling for teams to innovate at breakneck speeds while maintaining operational integrity.

In the face of emerging and increasingly frequent cyber threats, DevOps is evolving into DevSecOps, where security is the responsibility of every individual and engrained throughout the development process. While the concept is sound, making it a reality is going to take work.

At a fundamental level, we must take a hard look at current IT security strategies. A study conducted by leading analyst firm Enterprise Management Associates and commissioned by iland does just that, focusing specifically on cloud security. The report is entitled Blind Trust in Not a Security Strategy: Lessons from Cloud Adopters.

The study polled experienced cloud infrastructure and Disaster-Recovery-as-a-Service customers throughout North America. The results? In short – there is good news and bad news.

Let's talk about the good first:

■ Cloud has grown up and its benefits are clear. The argument no longer focuses on whether cloud should be adopted, it's about how to implement it correctly. As such, teams are focused on fortifying environments with significantly more tools than are used on-premise. In fact, 48% more security technologies are deployed in the cloud than on-premise. In light of that, it's no surprise that "security features" now tops the list of priorities companies consider when selecting a cloud provider, ahead of performance, reliability, management tools and cost.

■ IT sees cloud as an opportunity to improve security, enabling teams to leverage technology they previously did not use. After all, it's generally easier to deploy and update security technologies in the cloud than on-premise – 55 percent of respondents said cloud uses superior technology to on-premise, and 56 percent indicated that security technology is more consistently applied in cloud.

Driving the point home, when asked why they had not deployed specific security features in the cloud, respondents of the EMA survey indicated they were currently in the evaluation phase twice as often as any other reason for non-deployment, including cost, complexity, availability or that the technology was unnecessary.

■ Perhaps most promising, Business and IT finally agree that security should come before speed. For example, respondents indicated IT would rather delay a new application deployment due to security concerns than deploy it in a potentially insecure environment, and Business agrees in a nearly 3 to 1 margin. This reduced friction should pave the way for DevSecOps, as teams begin to treat each other as allies instead of problems.

But again, there's definitely room for improvement:

■ Too many cloud security strategies rest on blind trust. In fact, EMA found 47% of security personnel reported they "simply trust" their cloud providers are delivering on security agreements, rather than verify it independently or through a third party. It's important for companies to trust, but verify. Don't fall too hard for a provider's marketing, assortment of compliance logos or brand. 

■ Overall, respondents called for more assistance from their cloud providers when it comes to integrating security technology (52%), improving security reporting (49%) and improving security analytics (44%). Be sure to check out these capabilities when evaluating cloud providers. Ask for a demo and get a clear understanding of what level of support is included with the service and what costs extra.

■ There is a significant gap in IT's understanding of compliance requirements and related workloads. While 96% of security professionals acknowledge their organizations have compliance related workloads in the cloud, only 69% of IT teams identified the same. The reality is most organizations have workloads subject to corporate and/or industry compliance.

The apparent gap uncovered by the EMA study could lead to exposures for the organization if IT were to place a compliance-related workload into a non-compliant cloud provider. So what is the lesson? Again, don't put all of your faith into the compliance logos thrown onto a provider's website. Verify certificates and ask if you can speak to their compliance team. These steps give folks of all experience levels a head start in avoiding compliance pitfalls in the cloud.

In the end, it doesn't matter how innovative or nimble you are if your security is lacking. While Business and IT have made great strides in prioritizing and addressing the issues, there is work to be done. In the face of staffing shortages, resource restrictions and shrinking deadlines, teams must be able to rely on cloud providers to take on more of the heavy lifting. But they must be smart about it, resisting the temptation to blindly trust and finger point.

Lilac Schoenbeck is VP of Product Management and Marketing at iland.

The Latest

May 22, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on the top tools to support DevSecOps. Part 2 covers DevOps and development ...

May 21, 2018

While DevSecOps, much like DevOps itself, is more about changing IT culture than employing certain types of technology, some tools can be an important support. To find out what the right tools are, DEVOPSdigest asked experts from across the IT industry for their opinions on the top tools to support DevSecOps. Part 1 covers the testing phase ...

May 17, 2018

The top two business priorities for CIOs of midsize enterprises (MSEs) in 2018 are growth and digital transformation. However, 57 per cent of MSEs are not yet delivering digital initiatives, according to findings from Gartner Inc.'s 2018 CIO Agenda Survey ...

May 15, 2018

Almost every company is facing the challenge of digital transformation today. This means rethinking and retooling your company to compete and succeed in an increasingly digital world. While digital transformation is not only about technology, the right tools can help. To find out what these right tools are, APMdigest asked experts from across the IT industry for their opinions on the essential tools to support digital transformation ...

May 08, 2018

With data breaches consistently being in the news over the last several years, it is no wonder why data privacy has become such a hot topic and why the European Union (EU) has put in place General Data Protection Regulation (GDPR) which will become enforceable on May 25, 2018, which is less than a month away ...

May 03, 2018

The prospect of increased workloads, combined with shrinking mainframe skillsets, has huge implications for mainframe DevOps. The only way for organizations to solve this skills gap crisis is by optimizing developer productivity. Drilling down a level further, what does this all mean for mainframe DevOps? ...

May 02, 2018

When it comes to operations and development, DevOps has changed the traditional compartmentalized style of development by eliminating silos. But what about the security team? Security is largely still siloed from operations and development. No doubt, many DevOps teams have some security controls baked into their automation processes, but a recent survey shows there are still alarming gaps ...

April 30, 2018

According to the 2018 Global Security Trends in the Cloud report, 93 percent of respondents faced challenges when deploying their current on-premises security tools in the cloud, and 97 percent lacked the tools, cross-functional collaboration and resources to gain proper insight into security across the organization. These numbers indicate a big problem in DevSecOps that needs to be addressed ...

April 26, 2018

Moving more workloads to the cloud is a top IT priority, so eventually it will be time to consider how to make those critical legacy applications cloud ready. In Part 1 of this blog, I outlined the first four of eight steps to chart your cloud journey. In addition, consider the next four steps below ...

April 25, 2018

Clearly, moving applications to the cloud delivers significant advantages. So what's standing in the way of full cloud adoption? For many companies it's those burdensome (but critically important) legacy applications. Moving more workloads to the cloud is a top IT priority. So, eventually it will be time to consider how to make those critical legacy applications cloud ready. Consider the following eight steps to chart your cloud journey ...

Share this