Why security pros are frustrated with cloud security

As companies shift more operations to the cloud, a shortfall in security talent and too much security data wastes more than half of the time spent on security issues, a survey finds. Robert Lemos, writing for Dark Reading, reports… 

Companies are struggling to keep up with cloud security, with 55% of security professionals believing at least half their time is wasted, in part because security event data is of uneven quality, which leads to false positives, according to a new report.

According to the report by cloud automation firm Lacework, based on a survey of 500 security practitioners and 200 executives, the vast majority of respondents regularly have to deal with at least a 20% false-positive rate and a third deal with a 50% false-positive rate. The analysts are not alone: Only a third of developers believe that the time spent on security is meaningful, according to the survey.

The outlook of security analysts should be a sign for organisations that they need to change the way they’re securing cloud infrastructure and services, says Mark Nunnikhoven, distinguished cloud strategist at Lacework.

He says: “There is always security work to be done, so if people are doing work that they are finding not meaningful, we need to get the right information to them at the right time so they can do security.

“There is a big disconnect between how organisations view the cloud, how they are using the cloud to try to move forward and innovate faster, and how security is struggling to keep up with traditional approaches.”

COVID to Cloud

Following the start of the coronavirus pandemic, organisations quickly moved operations to the cloud to support their now-distributed workforce. But after two years, companies still have a way to go before moving all of their operations to the cloud, as less than half of respondents (46%) to the Lacework survey considered their most important applications to be cloud-native. However, security professionals see cloud as the future, with almost all believing that every new digital workload will be deployed to a cloud-native platform in 2025.

Yet the shortage of meaningful data from the cloud means that companies lack visibility into their cloud services, infrastructure, and workloads. Jeff Pollard, Vice President and Principal Analyst at Forrester Research, a market research firm, says that gaining that visibility in real-time security, so-called “observability,” will be a key challenge for cloud-native companies.

He argues: “Cloud apps — especially those that aren’t security related — likely won’t have the type of security details” that are needed, he says. “And that means our existing management and monitoring tools within security operations lack the ability to detect potential security issues beyond rudimentary alerts around authentication, for example.”

The shortage in skilled security professionals continues to haunt the security industry, with cloud and application security skills the most in-demand. In 2020, employment-analytics firm Burning Glass Technologies predicted the demand for cloud security professionals would grow by 115% over five years, and fetch a premium of $15,000, the highest premium for security skills. Only professionals with application security experience were expected to be in greater demand, with a five-year growth rate of 164%, according to the Burning Glass analysis.

Lacework’s Nunnikhoven, says that the lack of security professionals meeting the specific cloud-security needs of companies is not necessarily a problem, but an opportunity.

He says: “The gap seems to be getting bigger every year, with people unable to find people with the right security skills”.

“I think that it is a problem in the short term, but it might be a blessing in the long term because the lack of a ready pool of capable cybersecurity folks means that we have to rethink how we approach cloud security.”

Most companies are looking for ways to augment their cloud-security operation with machine learning. More than three-quarters of respondents agreed that machine learning has practical applications in security, while less than a quarter dismissed it as a buzzword.

Nunnikhoven argues that both automation and machine-learning models need to be better applied to reduce the workload for security professionals.

He comments: “There is a problem with a quality of the information that we are providing to people, we do not automate nearly enough.”

However, Forrester’s Pollard, argues that, automating processes without due diligence or considering the potential impact is a recipe for problems. Security operations rely on analytical and investigative steps, and while technology can augment those steps, it cannot entirely replace them, he says.

He concludes: “Where automation can and usually does help is in the tactical, repeatable steps of the analysis and investigation phases.

“These are tactical, repeatable steps that are unlikely to disrupt operations if mistakes are made [and] that analysts often have to wait on to do themselves or switch into multiple interfaces or systems.”

This article first appeared on Dark Reading. Part of the Informa Network, Dark Reading is a trusted online community for cyber security professionals, including CISOs, cyber security researchers and technology specialists. Covering the latest threats, vulnerabilities and cyber attacks, Dark Reading supports community members in keeping up with the latest in the sector.

Register today for IFSEC 2023

16-18 May 2023, ExCeL London | IFSEC 2023: Recognising the past, embracing the future

Join thousands of likeminded security and risk professionals at IFSEC 2023 in May, as the UK's largest and longest running security event looks ahead to what's next in the sector as it celebrates its 50th birthday. This year will see the launch of the IFSEC distributor network, while London's new Elizabeth Line makes travel to the venue easier than ever!

You’ll find hundreds of leading exhibitors from the physical and integrated security sector, showcasing all the latest in video surveillance, access control, intruder detection, perimeter protection and software solutions. Join the community and secure your ticket today!

Secure your FREE ticket today!