Last week we announced the results of a survey we conducted at Black Hat. We conducted the survey to better understand the combined impact of cloud infrastructure along with agile development and continuous delivery on enterprise security risk as it pertains to workload vulnerability due to increased scale and dynamics.
Our assumption was that there is a multiplication factor in regards to both scale in the number of workloads that need to be protected as well as the dynamics of how often those workloads need to be modified, updated, or spun up or down. And, that those two factors multiplied together meant an exponential increase in the surface area that security professionals need to protect and monitor. We also wanted to know: What are security teams doing to keep up? Are they hiring at an equivalent pace to the changing scale and dynamics? Are they using automation?
When we asked the infosec community at Black Hat to talk about the impact, their answers confirmed that the scale of cloud infrastructure and the dynamic nature of agile development and continuous delivery has increased the number of server workloads and attackable surface area that require protection and monitoring. At the same time, security staff sizes remain the same, and many are still not automating security controls on cloud workloads.
Here’s What We Found:
But What Does It All Mean?
Adopting cloud infrastructure and agile application delivery creates exponential growth in server workloads, meaning more potentially attackable surface area and more security management overhead. At the same time, organizations rarely increase the size of their security teams at all, much less enough to keep up with the higher scale and pace.
While organizations have started to understand that cloud infrastructure can deliver faster development, deployment, and innovation cycles, many are not thinking about the related impact to security operations. It only takes one compromise to derail adoption of these new technologies and wreck the value they otherwise could have added.
At CloudPassage, our hope is that enterprises seek to protect these investments sooner rather than later by enabling security that’s dynamic, automated and on-demand — in other words: agile security that can harmonize with more broadly agile IT delivery models.
As 451 Group’s Senior Security Analyst Adrian Sanabria told us at Black Hat: “Security has to be built in. It has to be automated. It’s no longer something we deploy manually.”