Cloud Security Study – The Good and Bad News for DevOps
June 10, 2016

Lilac Schoenbeck
Iland

IT teams are under more pressure than ever before, as they are increasingly forced to do more with less. Sound familiar? I've heard it for years, and it will likely play on an endless loop for many more. This dynamic helped give rise to the concept of DevOps, calling for teams to innovate at breakneck speeds while maintaining operational integrity.

In the face of emerging and increasingly frequent cyber threats, DevOps is evolving into DevSecOps, where security is the responsibility of every individual and engrained throughout the development process. While the concept is sound, making it a reality is going to take work.

At a fundamental level, we must take a hard look at current IT security strategies. A study conducted by leading analyst firm Enterprise Management Associates and commissioned by iland does just that, focusing specifically on cloud security. The report is entitled Blind Trust in Not a Security Strategy: Lessons from Cloud Adopters.

The study polled experienced cloud infrastructure and Disaster-Recovery-as-a-Service customers throughout North America. The results? In short – there is good news and bad news.

Let's talk about the good first:

■ Cloud has grown up and its benefits are clear. The argument no longer focuses on whether cloud should be adopted, it's about how to implement it correctly. As such, teams are focused on fortifying environments with significantly more tools than are used on-premise. In fact, 48% more security technologies are deployed in the cloud than on-premise. In light of that, it's no surprise that "security features" now tops the list of priorities companies consider when selecting a cloud provider, ahead of performance, reliability, management tools and cost.

■ IT sees cloud as an opportunity to improve security, enabling teams to leverage technology they previously did not use. After all, it's generally easier to deploy and update security technologies in the cloud than on-premise – 55 percent of respondents said cloud uses superior technology to on-premise, and 56 percent indicated that security technology is more consistently applied in cloud.

Driving the point home, when asked why they had not deployed specific security features in the cloud, respondents of the EMA survey indicated they were currently in the evaluation phase twice as often as any other reason for non-deployment, including cost, complexity, availability or that the technology was unnecessary.

■ Perhaps most promising, Business and IT finally agree that security should come before speed. For example, respondents indicated IT would rather delay a new application deployment due to security concerns than deploy it in a potentially insecure environment, and Business agrees in a nearly 3 to 1 margin. This reduced friction should pave the way for DevSecOps, as teams begin to treat each other as allies instead of problems.

But again, there's definitely room for improvement:

■ Too many cloud security strategies rest on blind trust. In fact, EMA found 47% of security personnel reported they "simply trust" their cloud providers are delivering on security agreements, rather than verify it independently or through a third party. It's important for companies to trust, but verify. Don't fall too hard for a provider's marketing, assortment of compliance logos or brand. 

■ Overall, respondents called for more assistance from their cloud providers when it comes to integrating security technology (52%), improving security reporting (49%) and improving security analytics (44%). Be sure to check out these capabilities when evaluating cloud providers. Ask for a demo and get a clear understanding of what level of support is included with the service and what costs extra.

■ There is a significant gap in IT's understanding of compliance requirements and related workloads. While 96% of security professionals acknowledge their organizations have compliance related workloads in the cloud, only 69% of IT teams identified the same. The reality is most organizations have workloads subject to corporate and/or industry compliance.

The apparent gap uncovered by the EMA study could lead to exposures for the organization if IT were to place a compliance-related workload into a non-compliant cloud provider. So what is the lesson? Again, don't put all of your faith into the compliance logos thrown onto a provider's website. Verify certificates and ask if you can speak to their compliance team. These steps give folks of all experience levels a head start in avoiding compliance pitfalls in the cloud.

In the end, it doesn't matter how innovative or nimble you are if your security is lacking. While Business and IT have made great strides in prioritizing and addressing the issues, there is work to be done. In the face of staffing shortages, resource restrictions and shrinking deadlines, teams must be able to rely on cloud providers to take on more of the heavy lifting. But they must be smart about it, resisting the temptation to blindly trust and finger point.

Lilac Schoenbeck is VP of Product Management and Marketing at iland.

Share this

Industry News

December 19, 2024

Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).

December 19, 2024

Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.

December 18, 2024

Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.

December 18, 2024

Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.

December 17, 2024

Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.

December 17, 2024

Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.

December 17, 2024

Kindo formally launched its channel partner program.

December 16, 2024

Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.

December 16, 2024

Fastly announced the general availability of Fastly AI Accelerator.

December 12, 2024

Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.

December 12, 2024

vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.

December 11, 2024

CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.

December 11, 2024

Grid Dynamics announced the launch of its developer portal.

December 10, 2024

LTIMindtree announced a strategic partnership with GitHub.