• United States



Contributing Writer

Cybersecurity professional impressions on cloud-native security

Oct 31, 20183 mins
Cloud SecuritySecurity

Organization use cloud-native security controls, but they really want central management for cloud security across heterogeneous clouds

10 cloud security breach virtualization wireless
Credit: Getty Images

In a recent research survey, my employer ESG asked a panel of 232 security and IT professionals a series of questions about cloud-native security (i.e. security controls, management, and monitoring options built into cloud infrastructure and offered by cloud service providers).  Here are a few of the data points we uncovered:

  • Fifty-seven percent of survey respondents believe that the native security controls provided by cloud service providers (CSPs) are sufficient in some but not all cases. In other words, cloud-native security controls must be supplemented with third-party enhancements occasionally or even regularly.  This speak to a need for cloud security managers of managers – especially in enterprise organizations with multi-cloud environments.
  • It appears that survey respondents see a master/slave relationship for cloud services and related cloud security controls. More than half (56%) of cybersecurity and IT professionals believe that security controls provided by a CSP should also support other IaaS/PaaS environments.  So, if 75% of my cloud workloads reside on AWS and 25% reside on Azure and GCP, I probably want to control all cloud-resident security controls through an AWS interface rather than control each security domain separately.
  • Not surprisingly, 38% of those surveyed say that the use of multiple CSPs tends to require some third-party security controls for central policy and configuration management of distributed (and heterogeneous) cloud-native security controls. Once again, a manager of managers.
  • When asked to identify areas where cloud-native security controls need improvement, 32% say network intrusion detection/prevention, 32% say data loss prevention, and 31% say data encryption. Yes, many CSPs can provide controls in these areas but security professionals find these offerings limited and tend to opt for third-party controls with superior feature/functionality.

My takeaway is that cloud-native security controls are often used as a matter of convenience and probably good enough for organizations betting on a single CSP.  This may characterize mid-market organizations, but it is a mismatch for enterprises.  Thus, enterprises will continue to anchor cloud security with third-party security management tools for the foreseeable future.

One final note on cloud-native security.  My esteemed colleague and cloud security guru Doug Cahill and I wanted to put a stake in the ground and find out which of the CSPs is considered the most secure.  According to survey respondents, (drumroll please) it’s Microsoft Azure. 

This may be related to IT history – large organizations have years of experience with Microsoft security infrastructure like Active Directory, and Azure security does a good job of emulating the existing Windows server security model. 

Hmm, perhaps Bill Gate’s trustworthy computing email (January 2002) could ultimately result in the most trustworthy cloud computing service, giving Microsoft a pretty significant market advantage.  Funny how things change. 

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author