Most cloud moves found rushed as adopters underrate associated risks: Report

A new study on the current state of cloud-native security found that a considerable number of cloud adopters do not understand the security risks of moving legacy applications to the cloud, opening themselves to a number of cloud-based attacks.

The study conducted by cybersecurity firm, Venafi, surveyed 800 security and IT leaders in organizations spanning four countries — the US, the UK, Germany, and France. The study was performed to examine the top threats and challenges currently facing cloud-native security.

“Application development teams are moving faster and faster to keep their businesses in the lead, turning to strategies like containerization and micro-services, which have made rapid-fire application enhancements a reality,” said the Venafi report. “In many cases, cloud-native security is lagging behind, and there is little clarity on who should own the security function within engineering, platform, and development teams.”

The report noted that this lack of clarity is a huge problem when it comes to securing machine identities — the authenticators that secure communications and connections within a cluster of containers — as they serve as the foundation of cloud-native security.

“Despite their relative importance, the application of machine identities in cloud-native implementations — such as service meshes, software supply chain security, and code signing of development artifacts — is often misunderstood,” the report added.

Rushed cloud adoption has cost and security implications

The respondents in the study revealed they are rapidly shifting to the cloud to do away with the lengthy application development and release cycles as they can’t afford to wait around for critical new features. Eighty-seven percent of the respondents said they have moved their legacy applications to the cloud.

However, there is a major gap in understanding the security implications of this transition with more than half (59%) of the respondents saying they did not understand the security risks that accompanied shifting legacy applications to the cloud. Another 53% admitted to having just lifted and shifted to the cloud with most of the application code remaining the same.

Another drawback of blindly moving things to the cloud was found to be the cost associated with the move. “Fifty-two percent have suffered from cloud sprawl and bill shock since moving legacy applications to the cloud,” said the report. “Seventy-seven percent of those impacted by cloud sprawl and bill shock have reconsidered moving applications to the cloud.”

Another key trend noticed was that the race to the cloud has made containerization a popular choice among the developers with 84% of survey respondents believing that Kubernetes will soon be the main platform used to develop all applications. As the use of Kubernetes increases and matures, the complexity of cloud-native strategies is becoming more apparent.

Kubernetes brings more challenges

Respondents agreed to a degree of uncertainty when it came to Kubernetes adoption, with 75% of respondents believing the speed and complexity of Kubernetes and containers create new security blind spots.

Other key issues with moving to containerization included challenges applying patches (43%), vulnerabilities caused by misconfigurations (41%), outages due to poorly managed certificates (32%), and failed security audits (22%).

Fifty-nine percent of the respondents said they experienced security issues within Kubernetes or container environments. The leading causes for these issues included network breaches (42%), API vulnerabilities (41%), and certificate misconfiguration (39%).

Certificate misconfiguration — a machine identity challenge — proved to be a more significant concern in the US at 45%. Moreover, 68% of respondents said developers sometimes don’t use certificates because issuance adds friction to developer processes.

Despite the challenges accompanying machine identities, 88% of respondents said they believe the concept of machine identity is essential to the success of zero-trust models. However, ownership still remains unclear for machine identity management, with 74% worrying that developers are challenged with several conflicting priorities, so security is not always top of mind.