Cybersecurity professional impressions on cloud-native security

In a recent research survey, my employer ESG asked a panel of 232 security and IT professionals a series of questions about cloud-native security (i.e. security controls, management, and monitoring options built into cloud infrastructure and offered by cloud service providers).  Here are a few of the data points we uncovered:

• Fifty-seven percent of survey respondents believe that the native security controls provided by cloud service providers (CSPs) are sufficient in some but not all cases. In other words, cloud-native security controls must be supplemented with third-party enhancements occasionally or even regularly.  This speak to a need for cloud security managers of managers – especially in enterprise organizations with multi-cloud environments.
• It appears that survey respondents see a master/slave relationship for cloud services and related cloud security controls. More than half (56%) of cybersecurity and IT professionals believe that security controls provided by a CSP should also support other IaaS/PaaS environments.  So, if 75% of my cloud workloads reside on AWS and 25% reside on Azure and GCP, I probably want to control all cloud-resident security controls through an AWS interface rather than control each security domain separately.
• Not surprisingly, 38% of those surveyed say that the use of multiple CSPs tends to require some third-party security controls for central policy and configuration management of distributed (and heterogeneous) cloud-native security controls. Once again, a manager of managers.
• When asked to identify areas where cloud-native security controls need improvement, 32% say network intrusion detection/prevention, 32% say data loss prevention, and 31% say data encryption. Yes, many CSPs can provide controls in these areas but security professionals find these offerings limited and tend to opt for third-party controls with superior feature/functionality.

My takeaway is that cloud-native security controls are often used as a matter of convenience and probably good enough for organizations betting on a single CSP.  This may characterize mid-market organizations, but it is a mismatch for enterprises.  Thus, enterprises will continue to anchor cloud security with third-party security management tools for the foreseeable future.

One final note on cloud-native security.  My esteemed colleague and cloud security guru Doug Cahill and I wanted to put a stake in the ground and find out which of the CSPs is considered the most secure.  According to survey respondents, (drumroll please) it’s Microsoft Azure. 

This may be related to IT history – large organizations have years of experience with Microsoft security infrastructure like Active Directory, and Azure security does a good job of emulating the existing Windows server security model. 

Hmm, perhaps Bill Gate’s trustworthy computing email (January 2002) could ultimately result in the most trustworthy cloud computing service, giving Microsoft a pretty significant market advantage.  Funny how things change.