Tripwire has published the results of a survey on the implementation of cloud security best practices. Conducted by Dimensional Research last month, the survey evaluated the opinions of 310 security professionals.
According to the survey, a number of organisations face shortcomings in monitoring and securing their cloud environments. A majority of security professionals (76%) state they have difficulty maintaining security configurations in the cloud, and 37% said their risk management capabilities in the cloud are worse compared with other parts of their environment. Almost all (93%) are concerned about human error causing accidental exposure of their cloud data.
Attackers are known to run automated searches to find sensitive data exposed in the cloud, making it critical for organisations to monitor their cloud security posture on a recurring basis and fix issues immediately. However, Tripwire’s report found that only 21% of organizations assess their overall cloud security posture in real time or near real time. While 21% said they conduct weekly evaluations, 58% do so only monthly or less frequently. Despite widespread worry about human errors, 22% still assess their cloud security posture manually.
“Security teams are dealing with much more complex environments, and it can be extremely difficult to stay on top of the growing cloud footprint without having the right strategy and resources in place,” said Tim Erlin, vice president of product management and strategy at Tripwire. “Fortunately, there are well-established frameworks, such as CIS benchmarks, which provide prioritized recommendations for securing the cloud. However, the ongoing work of maintaining proper security controls often goes undone or puts too much strain on resources, leading to human error.”
Most organisations utilize a framework for securing their cloud environments - CIS and NIST being two of the most popular - but only 22% said they are able to maintain continuous cloud security compliance over time. While 91% of organisations have implemented some level of automated enforcement in the cloud, 92% still want to increase their level of automated enforcement.
Additional survey findings show that automation levels varied across cloud security best practices:
Only 51% have automated solutions that ensure proper encryption settings are enabled for databases or storage buckets.
Less than half (45%) automatically assess new cloud assets as they are added to the environment.
A slim majority (51%) have automated alerts with context for suspicious behavior.