Enterprise Strategy Group | Getting to the bigger truth.™

By Jon Oltsik, ESG Senior Principal Analyst

May 2016

The Evolution of Cloud Security

All trademark names are property of their respective companies. Information contained in this publication has been obtained

by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may

contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise

Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format,

electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy

Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Contents

3. Executive Summary

4. Cloud Computing Momentum in the Enterprise

6. The State of Cloud Security

8. Cloud Security Challenges

10. Cloud Security Tactics and Strategies

13. The Bigger Truth

© 2016 by The Enterprise Strategy Group, Inc.

This ESG Research paper was commissioned by vArmour and is distributed under license from ESG.

3

Executive Summary

In early 2016, vArmour commissioned the Enterprise Strategy Group (ESG) to conduct a research survey of 303 IT and cybersecurity professionals with knowledge of or responsibility for cloud security policies, processes, or technologies at enterprise organizations (i.e., more than 1,000 employees).

Survey respondents were located in North America and came from companies ranging in size: 50% of survey respondents worked at organizations with 1,000 to 4,999 employees, 23% worked at organizations with 5,000 to 9,999 employees, 13% worked at organizations with 10,000 to 19,999 employees, and 14% worked at organizations with 20,000 or more employees. Respondents represented numerous industry and government segments with the largest participation coming from manufacturing (20%), retail/wholesale (16%), the financial services industry (15%), and business services (14%).

For the purposes of this research project, ESG provided the following definitions to survey respondents:

© 2016 by The Enterprise Strategy Group, Inc.

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. These infrastructure resources can be accessed and provisioned via on-premises cloud infrastructure management platforms (e.g., VMware vCloud, OpenStack, etc.) and/or third-party services (e.g., Amazon AWS, Microsoft Azure, etc.). Note that server virtualization technologies like VMware vSphere/ESX, Microsoft Hyper-V, etc. on its own (i.e., without some type of cloud infrastructure management software) is NOT considered to be cloud computing.

Server virtualization technology is defined as software that divides one physical server into multiple isolated virtual environments. This survey focuses specifically on x86 virtualization technologies, by which x86-based guest operating systems are run under another x86-based host operating system running on Intel or AMD hardware platforms.

This research project was intended to assess the current practices and challenges associated with cloud computing security. Furthermore, respondents were asked about future strategic plans intended to improve the efficacy and efficiency of cloud security in the future. Based upon the data collected, this paper concludes:

Enterprise organizations continue to embrace heterogeneous cloud computing options.Large organizations are using a wide variety of public and private cloud infrastructure to host a growing number of production workloads. ESG also sees increasing adoption of a wide range of heterogeneous cloud infrastructure and SDN technologies, including AWS, Azure, Cisco ACI, Google Cloud Platform (GCP), NSX, OpenStack, SoftLayers, and VMware vCloud. The heterogeneous nature of cloud computing introduces numerous management and security complexities.

Traditional security processes and controls can be a mismatch for cloud computing. CISOs often try to bridge the cloud security gap with traditional security processes and controls but survey respondents report weaknesses in status quo data, host-based, and network security technologies when they are applied to the cloud (i.e., physical firewall and IDS/IPS appliances, DLP gateways, switch- and router-based ACLs, Layer 2 VLANs based upon IEEE 802.1q, etc.). The same holds true with security monitoring, where cloud computing often leads to blind spots or data management issues (i.e., collecting the right data in a timely manner, normalizing different data formats, etc.) Little wonder then that 74% of organizations are replacing traditional security processes and choosing extensible, scalable, and independent security technologies designed for cloud computing.

Cloud computing is driving a multitude of cybersecurity changes. Aside from traditional security process and technology replacement, enterprise organizations are changing security organizations, processes, and plans to accommodate cloud computing security requirements. This transition has already begun and will only gather additional momentum in the months and years to come.

As for cloud computing security “lessons learned,” successful organizations are making organizational changes to improve collaboration between security, DevOps, and data center operations teams, instituting new security policies and processes to keep up with cloud agility, and adding new types of cloud-centric security technologies designed for extensibility, scalability, and support for multiple types of cloud infrastructure.

Cloud Computing Momentum in the Enterprise

Enterprise organizations are no longer simply experimenting with cloud computing. Rather, many large firms are embracing heterogeneous cloud computing in mixed environments and actively moving workloads to public and private clouds. For example, ESG research reveals that:

More than one-third (34%) of organizations have been using public and private cloud services for 3 years or more. As organizations gain additional cloud computing experience, it tends to accelerate their pace of cloud adoption.

More than half of enterprise organizations (57%) are using public and private cloud infrastructure to support production applications and workloads today. This indicates that organizations are growing more comfortable running their own portfolio of cloud-based workloads and that cloud computing has become an essential part of enterprise IT strategy.

One-quarter of IT and cybersecurity professionals report that 40% of their organization’s production applications/workloads run on public cloud infrastructure today and this will only increase in the future.

4© 2016 by The Enterprise Strategy Group, Inc.

34%

57%

40%

5© 2016 by The Enterprise Strategy Group, Inc.

Enterprises are engaged in numerous other activities in support of cloud computing. For example, 88% are already deploying internal private cloud infrastructure, 66% are using converged or hyper-converged infrastructure solutions, while 69% are using a self-service portal for cloud workload provisioning, configuration management, change management, etc.

Why are large organizations embracing cloud computing at an increasing rate? Reasons vary from aligning enterprise IT with emerging technology innovation, to lowering costs, to aligning IT infrastructure with the increased use of agile development (see Figure 1).

FIGURE 1

Reasons for Using Cloud Computing Infrastructure

What were the main reasons why your organization decided to utilize cloud computing infrastructure when it first made the decision to do so? (Percent of respondents, N=303, multiple responses accepted)

26%

30%

36%

37%

38%

39%

40%

41%

41%

42%

47%

50%

Converting capital costs to operational costs in a “pay of you go” utility model

Tiered storage options allow us to align the time valueof data with cost

Provide business units with more IT autonomy

Accelerate application deployment time

Use cloud computing infrastructure for non-sensitiveworkload

On-demand compute resources to meet the variableneeds of a particular application

Use cloud computing for application test anddevelopment

Reduce the number of physical data centers myorganization owns and/or operates

Align our IT infrastructure with our increasing use ofagile development

Lower capital costs

Lower operating costs

Align our IT strategy with emerging industry innovation

55%37%

2%Yes, extensively

Yes, somewhat

No, but we plan to use our existing security technologiesand processes for cloud security in the future

No, but we are interested in using our existing securitytechnologies and processes for cloud security in the future

6© 2016 by The Enterprise Strategy Group, Inc.

IT and security professionals still believe that security issues continue to impede overall cloud velocity.

The State of Cloud Security

In spite of the uptake of cloud computing, IT and security professionals still believe that security issues continue to impede overall cloud velocity. For example, 51% claim that their organizations are concerned about security risks associated with relying on third-party cloud computing providers, 37% say that their organizations are concerned that cloud computing increases their attack surface, and 36% are concerned about the availability and reliability of public cloud infrastructure.

Aside from the risks associated with cloud computing, security professionals also admit that cloud security presents some inherent organizational challenges. More than half of all enterprises claim that cybersecurity teams, networking teams, and data center infrastructure teams all get involved in creating and managing cloud security policies. These three teams also collaborate on cloud security technology purchases, deployment, and day-to-day operations. Given the relative immaturity of cloud computing, when it comes to securing these implementations properly, security professionals describe communications and collaboration issues between these groups, increasing risk and creating bottlenecks in cloud security processes.

While cloud computing represents a new and distinct model, 92% of organizations approach cloud security with existing security technologies and processes (see Figure 2).

FIGURE 2

Use of Existing Security Technologies and Processes for Cloud Computing

Does your organization use its existing security technology and processes for securing its cloud infrastructure? (Percent of respondents, N=303)

6%

7© 2016 by The Enterprise Strategy Group, Inc.

From a cost and operations perspective, it certainly makes sense to point existing security technologies and processes at new IT initiatives like cloud computing. Unfortunately, these tools and processes were really designed to be used with a traditional static security model (i.e., hardware-centric, perimeter, network-centric, north/south traffic inspection emphasis, etc.) rather than highly dynamic and mobile cloud computing workloads. When asked to identify their least effective traditional security tools for cloud environments, survey respondents pointed to data security technologies (46%), host-based security technologies (46%), and network security technologies (44%, see Figure 3). The research also revealed a general pattern—traditional security skills, processes, and technologies were much more mature than their cloud security counterparts on a consistent basis.

FIGURE 3

Least Effective Traditional Security Technologies for New Requirements Associated with Cloud Security

Which of the following traditional security controls (designed to protect on-premises systems, networks, applications, and data) is least effective for new requirements associated with cloud security? (Percent of respondents, N=303, multiple responses accepted)

4%

33%

37%

41%

42%

44%

46%

46%

None of the above

SIEM and/or security analyticstechnologies

Patch management technologies

Vulnerability management scannertechnologies

Web application firewalls (WAFs)

Network security technologies (i.e.firewalls, IDS/IPS, gateways, etc.)

Host-based security technologies (i.e.anti-virus, file-integrity monitoring,

host-based IDS/IPS, etc.).

Data security technologies (encryption,data loss prevention (DLP), etc.)

8© 2016 by The Enterprise Strategy Group, Inc.

Cloud Security Challenges

Aside from security technology controls, survey respondents also called out a variety of cloud security challenges that spanned people, process, and technology. For example, one-third of organizations point to problems in areas such as their ability to provision security controls to new workloads in the cloud, their ability to assess the overall security of cloud infrastructure, their ability to monitor workloads across clouds, and their ability to monitor regulatory compliance while using cloud computing infrastructure effectively (see Figure 4).

FIGURE 4

Cloud Security Challenges

Which of the following represent the biggest cloud security challenges at your organization? (Percent of respondents, N=303, five responses accepted)

3%

26%

26%

26%

30%

30%

31%

31%

32%

33%

34%

34%

34%

None of the above – we don’t have any cloud security challenges

Ability to segment network traffic

Ability to conduct forensic investigations on cloud resources

Ability to monitor who provisions or changes cloud-basedinfrastructure

Ability to build a risk model to assess which workloads can moveto the cloud and which should remain on-premises

Ability to build a tiered cloud consumption model that alignsdifferent cloud options with the sensitivity of individual workloads

Ability to collect, process, and analyze security data related tocloud infrastructure

Ability to protect workloads across clouds

Ability to monitor network traffic patterns foranomalous/suspicious behavior

Ability to maintain regulatory compliance while using cloudcomputing infrastructure effectively

Ability to monitor workloads across clouds

Ability to assess the overall security status of cloud infrastructure

Ability to provision security controls to new workloads in thecloud

9© 2016 by The Enterprise Strategy Group, Inc.

Note that many responses in Figure 4 were related to challenges with cloud security monitoring. ESG wanted to dig a bit further into this topic so we asked survey respondents to identify specific challenges with cloud security monitoring as well. As Figure 5 illustrates, security professionals have a long list of cloud security monitoring challenges, including organizational challenges, scalability challenges, technology challenges, and skills challenges.

As the old business axiom goes, “you can’t manage what you can’t measure.” As the ESG survey concludes, this is a real problem for large organizations where cloud security monitoring remains a work-in-progress. Smart CISOs will address these types of cloud security monitoring challenges, attain situational awareness of all activities happening in heterogeneous clouds, and then use data analysis to mitigate risk, apply controls, and drive security investigations.

FIGURE 5

Cloud Security Monitoring Challenges

Which of the following challenges has your organization experienced with regard to monitoring the security of applications, workloads, and data residing on cloud infrastructure? (Percent of respondents, N=298, three responses accepted)

4%

26%

28%

28%

29%

30%

31%

36%

38%

We have not experienced any challenges

Traditional monitoring tools are not always effective for cloud securitymonitoring

Cloud security introduces “blind spots” where we don’t have adequate visibility for security monitoring

My organization’s cybersecurity team does not have adequate cloud security monitoring skills in place today so we are learning as we go

Monitoring cloud can require lots of work for connecting securitymonitoring tools to cloud platforms via APIs

My organization has a limited number of cybersecurity personnel, socloud security monitoring has placed an additional burden on the

existing team

Each cloud infrastructure technology is distinct so we can’t always get consistent security monitoring across diverse cloud infrastructure

Cloud security monitoring requires greater scalability for security datacapture, process, and analysis

Various IT and/or business units have adopted cloud computing overthe past few years so the security team is now catching up on security

monitoring

10© 2016 by The Enterprise Strategy Group, Inc.

Cloud Security Tactics and Strategies

Cloud security is new and different compared to traditional physical or virtual server models. Based upon the ESG research, it appears that enterprise organizations take a while to internalize these important distinctions. Once this lesson is learned, however, many organizations adjust their security controls and monitoring so they support the requirements and nuances of heterogeneous cloud infrastructure. For example, 74% of organizations say that they have abandoned traditional security policies and technologies because they couldn’t be used effectively for cloud security (see Figure 6).

FIGURE 6

Cloud Computing Drives the Abandonment of Traditional Security Controls and Processes

Has your organization had to abandon its use of any traditional security policies or technologies because it couldn’t be used effectively for cloud security? (Percent of respondents, N=303)

32%

41%

13%

14%Yes, we’ve abandoned many traditional security policies or technologies because they couldn’t be used effectively for cloud security

Yes, we’ve abandoned some traditional security policies or technologies because they couldn’t be used effectively for cloud security

No, but we are having sufficient problems that may lead us to abandon one or several traditional security policies or technologies because they couldn’t be used effectively for cloud security

No

The ESG research indicates that many CISOs are altering their security strategies and turning toward new types of security controls, monitoring tools, and processes specifically designed for cloud computing. In addition, data gathered for this project indicates that they are also:

Hiring cloud security architects. A vast majority (87%) of enterprise organizations have established a new cloud security architect position but this role is a relatively recent addition over the last few years. As this role becomes more established, ESG expects gradual maturity in areas like security operations automation and orchestration, so security can keep up with agile development and DevOps groups that are often driving cloud computing initiatives.

Changing security requirements. In the past, security professionals tended to judge security technologies based upon their efficacy—the ability to prevent, detect, or respond to changing risks or cyber-attacks. While these attributes remain important, cloud computing demands additional requirements like extensibility, scalability, and openness to a wide variety of cloud computing infrastructure (see Figure 7).

11© 2016 by The Enterprise Strategy Group, Inc.

FIGURE 7

Most Desired Security Attributes for Securing Cloud Infrastructure

What is your organization’s most desired security attribute when it comes to securing cloud infrastructure? (Percent of respondents, N=303)

23%

21%

20%

10%

8%

8%

7%3%

Extensibility (i.e., ability to extend across bothheterogeneous infrastructure)

Scalability (i.e., ability to scale up or downappropriately with cloud resources)

Infrastructure-agnostic (i.e., independent of theunderlying IT infrastructure)

Manageability

Pervasiveness (i.e., exists throughout entire ITenvironment - from public to on-premises)

Deep visibility (i.e., at application or workload layer)

Stateful (i.e., security policies maintain consistent,even as they move throughout the IT environment)

Automation

Growing use of micro-segmentation. More than half (55%) of enterprise organizations are already using security technologies for micro-segmentation (i.e., the ability to create and manage granular and virtual network segments in order to limit network communications to specific sources and destinations). Furthermore, 81% plan to have well documented formal processes for micro-segmentation of network traffic between heterogeneous cloud infrastructure within the next year. Based upon this data, it is safe to categorize micro-segmentation as a burgeoning best practice for cloud security.

12© 2016 by The Enterprise Strategy Group, Inc.

For example, 47% will determine which security technologies they can begin to eliminate as they use cloud computing more extensively. This is a clear indication that some legacy security technologies will be replaced by cloud-ready alternatives designed for extensibility, scalability, and heterogeneous cloud infrastructure support. Additionally, 43% of organizations plan to classify workloads and then align them with cloud security controls, and 43% will investigate how they can integrate security technologies with cloud APIs (see Figure 8).

Large organizations have a number of other plans for cloud security over the next 12 to 24 months.

FIGURE 8

Cloud Security Plans over the Next 12 to 24 Months

Which of the following activities does your organization have planned for the next 12 to 24 months? (Percent of respondents, N=303, multiple responses accepted)

2%

4%

30%

38%

40%

40%

42%

42%

43%

43%

47%

None planned

Establish a cloud security architect position

Create a service catalogue that aligns security controls with varioustypes of workloads

Develop ways to automate security provisioning that aligns with whatwe are doing for cloud computing

Invest in new types of security technologies designed for cloudcomputing

Align security controls with cloud self-service provisioning

Make changes to the IT organization to enable more collaboration oncloud security between groups

Provide additional cloud security training for the security staff

Investigate how we can integrate our security technologies withcloud APIs

Classify workloads and then align them with various cloud computingoptions based upon their risk profiles

Determine which security technologies we can begin to eliminate aswe use cloud computing more extensively

13© 2016 by The Enterprise Strategy Group, Inc.

The Bigger Truth

Based upon the data presented in this research insight paper, ESG concludes that, while cloud security remains somewhat immature today, it is developing rapidly as large organizations acquire and deploy cloud-ready security tools, gain experience protecting cloud workloads, and establish best practices. This ESG research project can also provide some useful “lessons learned” that may help large organizations avoid some of the pitfalls and challenges described above. ESG recommends that CISOs:

Establish the right organizational model. Security teams must be organized so they can keep up with business initiatives and cloud computing models featuring automation, orchestration, and self-service. To achieve this goal, CISOs will need to improve communications with business and IT executives, bolster cloud computing training, and hire cloud security architects who can go toe-to-toe with cloud specialists and DevOps.

Institute appropriate cloud security policies and processes. Cloud security is often an afterthought for infrastructure teams, forcing the cybersecurity team into a perpetual game of catch-up. This leads to growing IT risk, since most security departments tend to always be a few steps behind changes in infrastructure. To bridge this risk gap, large organizations must ensure that risk and security considerations become inexorably linked with cloud computing application development, business decisions, provisioning, and management. In other words, cloud security should be built into heterogeneous cloud projects from their inception rather than “bolted on” reactively as projects approach their production phase.

Start with comprehensive monitoring for cloud security. Even highly skilled cybersecurity professionals can’t mitigate risk, detect malicious activity, or respond to security alerts unless they collect, process, and analyze the right data. Similarly, strong cloud security must start with continuous monitoring of all workloads and network traffic on heterogeneous public and private clouds. Armed with comprehensive cloud security analytics, CISOs, IT auditors, and SOC specialists can make informed and timely decisions when it comes to preventing and responding to cyber-attacks.

Plan for heterogeneity and massive scale. As the research indicates, large organizations are using a multitude of different private and public cloud infrastructure platforms today with no end in sight. Security controls, monitoring, and processing will need to be built for high-performance and high-throughput to keep up with dynamic workloads, constant mobility, and massive scale. In this way, organizations can bridge the gap between today’s tactical security point tools and a more strategic cloud security architecture that can support cloud agility.

Embrace a DevOps cloud security model for security enforcement technologies. To keep up with the pace of application development and cloud computing, security teams must work with DevOps on a common lexicon and process automation methodology. This should include things like workload classification for policy enforcement templates, API integration for automation and orchestration, a move toward software-based security services, and central management.

13© 2015 by The Enterprise Strategy Group, Inc.www.esg-global.com contact@esg-global.com P. 508.482.0188

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.