Enterprise Strategy Group | Getting to the bigger truth.™
The Evolution of
Cloud Security
By Jon Oltsik, ESG Senior Principal Analyst
May 2016
Contents
3. Executive Summary
4. Cloud Computing Momentum in the Enterprise
6. The State of Cloud Security
8. Cloud Security Challenges
10. Cloud Security Tactics and Strategies
13. The Bigger Truth
All trademark names are property of their respective companies. Information contained in this publication has been obtained
by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may
contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise
Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format,
electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy
Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal
prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
This ESG Research paper was commissioned by vArmour and is distributed under license from ESG.
© 2016 by The Enterprise Strategy Group, Inc.
Executive Summary
In early 2016, vArmour commissioned the Enterprise Strategy Group (ESG) to conduct a research survey of 303 IT
and cybersecurity professionals with knowledge of or responsibility for cloud security policies, processes, or
technologies at enterprise organizations (i.e., more than 1,000 employees).
Survey respondents were located in North America and came from companies ranging in size: 50% of survey
respondents worked at organizations with 1,000 to 4,999 employees, 23% worked at organizations with 5,000 to
9,999 employees, 13% worked at organizations with 10,000 to 19,999 employees, and 14% worked at organizations
with 20,000 or more employees. Respondents represented numerous industry and government segments with the
largest participation coming from manufacturing (20%), retail/wholesale (16%), the financial services industry
(15%), and business services (14%).
For the purposes of this research project, ESG provided the following definitions to survey respondents:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access
to a shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction. These infrastructure resources can be
accessed and provisioned via on-premises cloud infrastructure management platforms (e.g.,
VMware vCloud, OpenStack, etc.) and/or third-party services (e.g., Amazon AWS, Microsoft
Azure, etc.). Note that server virtualization technologies like VMware vSphere/ESX, Microsoft
Hyper-V, etc. on its own (i.e., without some type of cloud infrastructure management
software) is NOT considered to be cloud computing.
Server virtualization technology is defined as software that divides one physical server into
multiple isolated virtual environments. This survey focuses specifically on x86 virtualization
technologies, by which x86-based guest operating systems are run under another x86-based
host operating system running on Intel or AMD hardware platforms.
This research project was intended to assess the current practices and challenges associated with cloud computing
security. Furthermore, respondents were asked about future strategic plans intended to improve the efficacy and
efficiency of cloud security in the future. Based upon the data collected, this paper concludes:
Enterprise organizations continue to embrace heterogeneous cloud computing options.
Large organizations are using a wide variety of public and private cloud infrastructure to host
a growing number of production workloads. ESG also sees increasing adoption of a wide
range of heterogeneous cloud infrastructure and SDN technologies, including AWS, Azure,
Cisco ACI, Google Cloud Platform (GCP), NSX, OpenStack, SoftLayers, and VMware vCloud.
The heterogeneous nature of cloud computing introduces numerous management and
security complexities.
© 2016 by The Enterprise Strategy Group, Inc.
3
Traditional security processes and controls can be a mismatch for cloud computing. CISOs
often try to bridge the cloud security gap with traditional security processes and controls but
survey respondents report weaknesses in status quo data, host-based, and network security
technologies when they are applied to the cloud (i.e., physical firewall and IDS/IPS
appliances, DLP gateways, switch- and router-based ACLs, Layer 2 VLANs based upon IEEE
802.1q, etc.). The same holds true with security monitoring, where cloud computing often
leads to blind spots or data management issues (i.e., collecting the right data in a timely
manner, normalizing different data formats, etc.) Little wonder then that 74% of
organizations are replacing traditional security processes and choosing extensible, scalable,
and independent security technologies designed for cloud computing.
Cloud computing is driving a multitude of cybersecurity changes. Aside from traditional
security process and technology replacement, enterprise organizations are changing security
organizations, processes, and plans to accommodate cloud computing security requirements.
This transition has already begun and will only gather additional momentum in the months
and years to come.
As for cloud computing security “lessons learned,” successful organizations are making organizational changes to
improve collaboration between security, DevOps, and data center operations teams, instituting new security
policies and processes to keep up with cloud agility, and adding new types of cloud-centric security technologies
designed for extensibility, scalability, and support for multiple types of cloud infrastructure.
Cloud Computing Momentum in the Enterprise
Enterprise organizations are no longer simply experimenting with cloud computing. Rather, many large firms are
embracing heterogeneous cloud computing in mixed environments and actively moving workloads to public and
private clouds. For example, ESG research reveals that:
34%
More than one-third (34%) of organizations have been using public and private cloud services
for 3 years or more. As organizations gain additional cloud computing experience, it tends to
accelerate their pace of cloud adoption.
57%
More than half of enterprise organizations (57%) are using public and private cloud
infrastructure to support production applications and workloads today. This indicates that
organizations are growing more comfortable running their own portfolio of cloud-based
workloads and that cloud computing has become an essential part of enterprise IT strategy.
40%
One-quarter of IT and cybersecurity professionals report that 40% of their organization’s
production applications/workloads run on public cloud infrastructure today and this will only
increase in the future.
© 2016 by The Enterprise Strategy Group, Inc.
4
Enterprises are engaged in numerous other activities in support of cloud computing. For example, 88% are already
deploying internal private cloud infrastructure, 66% are using converged or hyper-converged infrastructure
solutions, while 69% are using a self-service portal for cloud workload provisioning, configuration management,
change management, etc.
Why are large organizations embracing cloud computing at an increasing rate? Reasons vary from aligning
enterprise IT with emerging technology innovation, to lowering costs, to aligning IT infrastructure with the
increased use of agile development (see Figure 1).
FIGURE 1
Reasons for Using Cloud Computing Infrastructure
What were the main reasons why your organization decided to utilize cloud computing infrastructure when it
first made the decision to do so? (Percent of respondents, N=303, multiple responses accepted)
Align our IT strategy with emerging industry innovation
50%
Lower operating costs
47%
Lower capital costs
42%
Align our IT infrastructure with our increasing use of
agile development
41%
Reduce the number of physical data centers my
organization owns and/or operates
41%
Use cloud computing for application test and
development
40%
On-demand compute resources to meet the variable
needs of a particular application
39%
Use cloud computing infrastructure for non-sensitive
workload
38%
Accelerate application deployment time
37%
Provide business units with more IT autonomy
Tiered storage options allow us to align the time value
of data with cost
Converting capital costs to operational costs in a “pay
of you go” utility model
© 2016 by The Enterprise Strategy Group, Inc.
36%
30%
26%
5
IT and security professionals still believe that
security issues continue to impede overall cloud velocity.
The State of Cloud Security
In spite of the uptake of cloud computing, IT and security professionals still believe that security issues continue to
impede overall cloud velocity. For example, 51% claim that their organizations are concerned about security risks
associated with relying on third-party cloud computing providers, 37% say that their organizations are concerned
that cloud computing increases their attack surface, and 36% are concerned about the availability and reliability of
public cloud infrastructure.
Aside from the risks associated with cloud computing, security professionals also admit that cloud security presents
some inherent organizational challenges. More than half of all enterprises claim that cybersecurity teams,
networking teams, and data center infrastructure teams all get involved in creating and managing cloud security
policies. These three teams also collaborate on cloud security technology purchases, deployment, and day-to-day
operations. Given the relative immaturity of cloud computing, when it comes to securing these implementations
properly, security professionals describe communications and collaboration issues between these groups,
increasing risk and creating bottlenecks in cloud security processes.
While cloud computing represents a new and distinct model, 92% of organizations approach cloud security with
existing security technologies and processes (see Figure 2).
FIGURE 2
Use of Existing Security Technologies and Processes for Cloud Computing
Does your organization use its existing security technology and processes for securing its cloud infrastructure?
(Percent of respondents, N=303)
6% 2%
Yes, extensively
Yes, somewhat
37%
55%
No, but we plan to use our existing security technologies
and processes for cloud security in the future
No, but we are interested in using our existing security
technologies and processes for cloud security in the future
© 2016 by The Enterprise Strategy Group, Inc.
6
From a cost and operations perspective, it certainly makes sense to point existing security technologies and
processes at new IT initiatives like cloud computing. Unfortunately, these tools and processes were really designed
to be used with a traditional static security model (i.e., hardware-centric, perimeter, network-centric, north/south
traffic inspection emphasis, etc.) rather than highly dynamic and mobile cloud computing workloads. When asked to
identify their least effective traditional security tools for cloud environments, survey respondents pointed to data
security technologies (46%), host-based security technologies (46%), and network security technologies (44%, see
Figure 3). The research also revealed a general pattern—traditional security skills, processes, and technologies were
much more mature than their cloud security counterparts on a consistent basis.
FIGURE 3
Least Effective Traditional Security Technologies for New Requirements Associated with Cloud Security
Which of the following traditional security controls (designed to protect on-premises systems, networks,
applications, and data) is least effective for new requirements associated with cloud security? (Percent of
respondents, N=303, multiple responses accepted)
Data security technologies (encryption,
data loss prevention (DLP), etc.)
46%
Host-based security technologies (i.e.
anti-virus, file-integrity monitoring,
host-based IDS/IPS, etc.).
46%
Network security technologies (i.e.
firewalls, IDS/IPS, gateways, etc.)
44%
Web application firewalls (WAFs)
42%
Vulnerability management scanner
technologies
41%
Patch management technologies
37%
SIEM and/or security analytics
technologies
None of the above
© 2016 by The Enterprise Strategy Group, Inc.
33%
4%
7
Cloud Security Challenges
Aside from security technology controls, survey respondents also called out a variety of cloud security challenges
that spanned people, process, and technology. For example, one-third of organizations point to problems in areas
such as their ability to provision security controls to new workloads in the cloud, their ability to assess the overall
security of cloud infrastructure, their ability to monitor workloads across clouds, and their ability to monitor
regulatory compliance while using cloud computing infrastructure effectively (see Figure 4).
FIGURE 4
Cloud Security Challenges
Which of the following represent the biggest cloud security challenges at your organization? (Percent of
respondents, N=303, five responses accepted)
Ability to provision security controls to new workloads in the
cloud
34%
Ability to assess the overall security status of cloud infrastructure
34%
Ability to monitor workloads across clouds
34%
Ability to maintain regulatory compliance while using cloud
computing infrastructure effectively
33%
Ability to monitor network traffic patterns for
anomalous/suspicious behavior
32%
Ability to protect workloads across clouds
31%
Ability to collect, process, and analyze security data related to
cloud infrastructure
31%
Ability to build a tiered cloud consumption model that aligns
different cloud options with the sensitivity of individual workloads
30%
Ability to build a risk model to assess which workloads can move
to the cloud and which should remain on-premises
30%
Ability to monitor who provisions or changes cloud-based
infrastructure
26%
Ability to conduct forensic investigations on cloud resources
26%
Ability to segment network traffic
26%
None of the above – we don’t have any cloud security challenges
© 2016 by The Enterprise Strategy Group, Inc.
3%
8
Note that many responses in Figure 4 were related to challenges with cloud security monitoring. ESG wanted to dig
a bit further into this topic so we asked survey respondents to identify specific challenges with cloud security
monitoring as well. As Figure 5 illustrates, security professionals have a long list of cloud security monitoring
challenges, including organizational challenges, scalability challenges, technology challenges, and skills challenges.
As the old business axiom goes, “you can’t manage what you can’t measure.” As the ESG survey
concludes, this is a real problem for large organizations where cloud security monitoring remains
a work-in-progress. Smart CISOs will address these types of cloud security monitoring challenges,
attain situational awareness of all activities happening in heterogeneous clouds, and then use
data analysis to mitigate risk, apply controls, and drive security investigations.
FIGURE 5
Cloud Security Monitoring Challenges
Which of the following challenges has your organization experienced with regard to monitoring the security of
applications, workloads, and data residing on cloud infrastructure? (Percent of respondents, N=298, three
responses accepted)
Various IT and/or business units have adopted cloud computing over
the past few years so the security team is now catching up on security
monitoring
38%
Cloud security monitoring requires greater scalability for security data
capture, process, and analysis
36%
Each cloud infrastructure technology is distinct so we can’t always get
consistent security monitoring across diverse cloud infrastructure
31%
My organization has a limited number of cybersecurity personnel, so
cloud security monitoring has placed an additional burden on the
existing team
30%
Monitoring cloud can require lots of work for connecting security
monitoring tools to cloud platforms via APIs
29%
My organization’s cybersecurity team does not have adequate cloud
security monitoring skills in place today so we are learning as we go
28%
Cloud security introduces “blind spots” where we don’t have
adequate visibility for security monitoring
28%
Traditional monitoring tools are not always effective for cloud security
monitoring
We have not experienced any challenges
© 2016 by The Enterprise Strategy Group, Inc.
26%
4%
9
Cloud Security Tactics and Strategies
Cloud security is new and different compared to traditional physical or virtual server models. Based upon the ESG
research, it appears that enterprise organizations take a while to internalize these important distinctions. Once this
lesson is learned, however, many organizations adjust their security controls and monitoring so they support the
requirements and nuances of heterogeneous cloud infrastructure. For example, 74% of organizations say that they
have abandoned traditional security policies and technologies because they couldn’t be used effectively for cloud
security (see Figure 6).
FIGURE 6
Cloud Computing Drives the Abandonment of Traditional Security Controls and Processes
Has your organization had to abandon its use of any traditional security policies or technologies because it
couldn’t be used effectively for cloud security? (Percent of respondents, N=303)
14%
32%
Yes, we’ve abandoned many traditional security policies or technologies
because they couldn’t be used effectively for cloud security
13%
Yes, we’ve abandoned some traditional security policies or technologies
because they couldn’t be used effectively for cloud security
No, but we are having sufficient problems that may lead us to abandon
one or several traditional security policies or technologies because they
couldn’t be used effectively for cloud security
No
41%
The ESG research indicates that many CISOs are altering their security strategies and turning toward new types of
security controls, monitoring tools, and processes specifically designed for cloud computing. In addition, data
gathered for this project indicates that they are also:
Hiring cloud security architects. A vast majority (87%) of enterprise organizations have
established a new cloud security architect position but this role is a relatively recent addition
over the last few years. As this role becomes more established, ESG expects gradual maturity in
areas like security operations automation and orchestration, so security can keep up with agile
development and DevOps groups that are often driving cloud computing initiatives.
Changing security requirements. In the past, security professionals tended to judge security
technologies based upon their efficacy—the ability to prevent, detect, or respond to changing
risks or cyber-attacks. While these attributes remain important, cloud computing demands
additional requirements like extensibility, scalability, and openness to a wide variety of cloud
computing infrastructure (see Figure 7).
© 2016 by The Enterprise Strategy Group, Inc.
10
FIGURE 7
Most Desired Security Attributes for Securing Cloud Infrastructure
What is your organization’s most desired security attribute when it comes to securing cloud infrastructure?
(Percent of respondents, N=303)
Extensibility (i.e., ability to extend across both
heterogeneous infrastructure)
3%
7%
Scalability (i.e., ability to scale up or down
appropriately with cloud resources)
23%
8%
Infrastructure-agnostic (i.e., independent of the
underlying IT infrastructure)
8%
Manageability
10%
Pervasiveness (i.e., exists throughout entire IT
environment - from public to on-premises)
21%
Deep visibility (i.e., at application or workload layer)
20%
Stateful (i.e., security policies maintain consistent,
even as they move throughout the IT environment)
Automation
Growing use of micro-segmentation. More than half (55%) of enterprise organizations are
already using security technologies for micro-segmentation (i.e., the ability to create and
manage granular and virtual network segments in order to limit network communications to
specific sources and destinations). Furthermore, 81% plan to have well documented formal
processes for micro-segmentation of network traffic between heterogeneous cloud
infrastructure within the next year. Based upon this data, it is safe to categorize microsegmentation as a burgeoning best practice for cloud security.
© 2016 by The Enterprise Strategy Group, Inc.
11
Large organizations have a number of other plans
for cloud security over the next 12 to 24 months.
For example, 47% will determine which security technologies they can begin to eliminate as they use cloud
computing more extensively. This is a clear indication that some legacy security technologies will be replaced by
cloud-ready alternatives designed for extensibility, scalability, and heterogeneous cloud infrastructure support.
Additionally, 43% of organizations plan to classify workloads and then align them with cloud security controls, and
43% will investigate how they can integrate security technologies with cloud APIs (see Figure 8).
FIGURE 8
Cloud Security Plans over the Next 12 to 24 Months
Which of the following activities does your organization have planned for the next 12 to 24 months? (Percent of
respondents, N=303, multiple responses accepted)
Determine which security technologies we can begin to eliminate as
we use cloud computing more extensively
Classify workloads and then align them with various cloud computing
options based upon their risk profiles
Investigate how we can integrate our security technologies with
cloud APIs
47%
43%
43%
Provide additional cloud security training for the security staff
42%
Make changes to the IT organization to enable more collaboration on
cloud security between groups
42%
Align security controls with cloud self-service provisioning
40%
Invest in new types of security technologies designed for cloud
computing
Develop ways to automate security provisioning that aligns with what
we are doing for cloud computing
Create a service catalogue that aligns security controls with various
types of workloads
Establish a cloud security architect position
None planned
© 2016 by The Enterprise Strategy Group, Inc.
40%
38%
30%
4%
2%
12
The Bigger Truth
Based upon the data presented in this research insight paper, ESG concludes that, while cloud security remains
somewhat immature today, it is developing rapidly as large organizations acquire and deploy cloud-ready security
tools, gain experience protecting cloud workloads, and establish best practices. This ESG research project can also
provide some useful “lessons learned” that may help large organizations avoid some of the pitfalls and challenges
described above. ESG recommends that CISOs:
Establish the right organizational model. Security teams must be organized so they can keep
up with business initiatives and cloud computing models featuring automation, orchestration,
and self-service. To achieve this goal, CISOs will need to improve communications with
business and IT executives, bolster cloud computing training, and hire cloud security architects
who can go toe-to-toe with cloud specialists and DevOps.
Institute appropriate cloud security policies and processes. Cloud security is often an
afterthought for infrastructure teams, forcing the cybersecurity team into a perpetual game of
catch-up. This leads to growing IT risk, since most security departments tend to always be a
few steps behind changes in infrastructure. To bridge this risk gap, large organizations must
ensure that risk and security considerations become inexorably linked with cloud computing
application development, business decisions, provisioning, and management. In other words,
cloud security should be built into heterogeneous cloud projects from their inception rather
than “bolted on” reactively as projects approach their production phase.
Start with comprehensive monitoring for cloud security. Even highly skilled cybersecurity
professionals can’t mitigate risk, detect malicious activity, or respond to security alerts unless
they collect, process, and analyze the right data. Similarly, strong cloud security must start with
continuous monitoring of all workloads and network traffic on heterogeneous public and
private clouds. Armed with comprehensive cloud security analytics, CISOs, IT auditors, and SOC
specialists can make informed and timely decisions when it comes to preventing and
responding to cyber-attacks.
Plan for heterogeneity and massive scale. As the research indicates, large organizations are
using a multitude of different private and public cloud infrastructure platforms today with no
end in sight. Security controls, monitoring, and processing will need to be built for highperformance and high-throughput to keep up with dynamic workloads, constant mobility, and
massive scale. In this way, organizations can bridge the gap between today’s tactical security
point tools and a more strategic cloud security architecture that can support cloud agility.
Embrace a DevOps cloud security model for security enforcement technologies. To keep up
with the pace of application development and cloud computing, security teams must work
with DevOps on a common lexicon and process automation methodology. This should include
things like workload classification for policy enforcement templates, API integration for
automation and orchestration, a move toward software-based security services, and central
management.
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
© 2015
2016 by The Enterprise Strategy Group, Inc.
www.esg-global.com
[email protected]
13
P. 508.482.0188