DivvyCloud: Cloud and Container Security Lacking

Most enterprises are not equipped to operate in the cloud securely.

Edward Gately, Senior News Editor

April 10, 2020

9 Min Read
Cybersecurity Roundup, security roundup
Shutterstock

Zoom faces harsh criticism, investigations and litigation as new questions about lax security practices surface. But a new study shows many enterprises are lacking when it comes to cloud and container security.

The new DivvyCloud report shows nearly one half of developers ignore cloud and container security policies. DivvyCloud surveyed nearly 2,000 IT professionals and compared data to its 2019 report.

Eighty-five percent of enterprises believe public cloud fuels innovation. However, the majority are not equipped to operate in the cloud securely.

Only 40% of organizations using public cloud have an approach to managing cloud and container security.

Only 58% said their organization has clear guidelines and policies for developers building applications and operating in the public cloud. And of those, one in four (25%) said these cloud and container security policies are not enforced. Another 17% confirmed their organization lacks clear guidelines entirely.

Other findings include:

  • Developers and engineers sometimes ignore or circumvent cloud and container security and compliance policies. That’s according to almost half of all respondents whose organizations use public cloud.

  • Forty-two percent do not know which frameworks their company uses to maintain compliance with relevant standards and regulations.

DeRamus-Chris_DivvyCloud.jpg

DivvyCloud’s Chris DeRamus

We spoke with Chris DeRamus, DivvyCloud‘s CTO and co-founder, to learn more about this lack of cloud and container security.

Channel Futures: If it weren’t for the COVID-19 pandemic, would a lot of these security and privacy issues gone unnoticed?

Chris DeRamus: The security issues that many companies are experiencing now would have come to light eventually. These vulnerabilities may have been revealed during the crisis, but the underlying problems were there long before they were detected.

CF: So how are organizations being impacted by adopting public cloud without proper security?

CD: As organizations adopt public cloud, they are shifting to a reliance on software-defined infrastructure and also to self-service access. So for the first time, developers now have unfettered access to create and configure their own infrastructure. Due to this transition, the hardened perimeter (firewalls) has disappeared. And now, identity and access management (IAM) has become the new security perimeter. Security is no longer a command and control approach, but a democratized function, involving everyone who interacts with cloud services.

Companies adopt public cloud quickly for its speed and agility, and to remain competitive and innovative in today’s fast-paced business landscape. The problem is, so many are failing to adopt a holistic approach to security. The asynchronous approach by organizations to not implement cloud security strategies at the time of cloud adoption is the reason data breaches caused by cloud misconfigurations continue to dominate headlines, exposing nearly 33.5 billion records.

CF: Who’s paying a price for developers ignoring security policies?

CD: Data breaches caused by cloud misconfigurations are rampant, costing enterprises an estimated $5 trillion in 2018 and 2019 alone. The enterprise is paying a hefty price for …

… not securing their cloud infrastructures, but their customers are also paying as well. The billions of records leaked by cloud misconfigurations in many cases include personally identifiable information of users and customers. This opens up additional opportunities for compromise. Bad actors can leverage this sensitive data to launch spear phishing attacks and/or commit identity theft on individuals.

CF: Does this lack of cloud security point to challenges/opportunities for the channel? Can you give some examples?

CD: For companies and channel partners in the cloud security space, the lack of cloud security points to opportunities. As more and more enterprises adopt cloud and multicloud strategies, driven by eagerness to take advantage of its agility, lack of cloud security expertise often results in engineers and developers bypassing certain security and compliance policies. As they rapidly build innovative apps and services, a common byproduct of bypassing security and compliance policies is data breaches, thanks to misconfigurations and other security errors.

Let’s take the example of working remotely, an issue facing most of us today in the midst of the pandemic. Developers often open up secure shell (SSH) or disable firewalls to gain access to a system they’re working on remotely. [This] is leaving the system open and vulnerable. Similarly, developers may pull a database containing sensitive information for testing purposes. And because it’s not live, they think it’s just a development system. Instead, they end up exposing an inactive database full of sensitive customer information.

As these types of incidents occur, and cyberattacks ramp up, the opportunity comes when organizations are willing to talk to vendors and channel partners about security. A lot of organizations are skeptical of these conversations, in part, for fear of risking innovation for security. It’s up to the cloud security vendors and the channel partners to explain to these organizations why that is a false choice, both for the benefit of the organization and the public good of secure data.

CF: What can organizations do that they haven’t been doing to ensure proper security along with cloud adoption?

CD: Organizations must be able to trust that developers and engineers are provisioning and configuring cloud and container services properly, adhering to the necessary security, compliance and governance policies, and using automation to enable this needed cultural shift.

By implementing automated security solutions that provide continuous enforcement and create a seamless and constant feedback loop for developers and engineers, organizations can significantly remove any perceived barrier between innovation and security.

CF: Does the report point to any progress being made?

CD: In 2018, our annual study found that 11% of organizations had not yet adopted the public cloud. Now 93% of all organizations have reported adoption of the cloud. Furthermore, the majority of organizations that have adopted the cloud are in the final optimization stages of their cloud journey.

The report also found more than two-thirds of all IT professionals believe automation can improve their organization’s cloud security strategy. This is a clear indication that enterprises are realizing that humans are prone to error. [That] is critical given the high rate of change in cloud and container environments.

Bugcrowd Reports Record Growth, $30 Million Funding

Bugcrowd this week announced record year-over-year growth and $30 million in series D funding. That brings the company’s total funding to more than $80 million. The investment round will help Bugcrowd expand its crowdsourced security platform.

For fiscal 2019, Bugcrowd doubled its bookings with North American enterprise market. It also doubled the number of critical vulnerabilities it submitted to customers.

Rick Beattie, Bugcrowd’s vice president of global sales, says the new funding allows Bugcrowd to “market stronger to and with the partner community globally.”

“Our partner community is extremely important to Bugcrowd, and we are committed to continuing to strengthen the program and community,” he said. “With countless organizations looking to improve their security posture and better manage their risk landscape, having partners who understand the true value and scale of crowdsourced security is very important for Bugcrowd. Through our trusted partner community, Bugcrowd has been able to get to market in a fast and efficient way.”

Bugcrowd‘s partners address customers’ cybersecurity needs by …

… growing trust. They also continuously offer new services to help solve critical business and security problems, Beattie said.

“It’s been terrific to see our top security partners looking to sincerely work with customers to understand needs and priorities. Partners collaborate with customers to architect solutions that we stand behind, trust and support,” he said. “Bugcrowd works with the top security partners across the world to ensure they are understanding and utilizing the power of crowdsourced security. This by itself has helped tremendously in fueling our growth and we do not anticipate this slowing down.”

Malwarebytes: Credit Card Skimming Soars During Pandemic

COVID-19, is forcing most people to stay at home. That has led to a jump in online shopping and a sharp rise in credit card skimming.

Web skimming increased by 26% in March over the previous month, according to data from Malwarebytes. And skimming already was accelerating prior to COVID-19. It’s a trend likely to continue into the near future.

Web skimming is the process of stealing customer data, including credit card information, from compromised online stores.

LaPeters-Mike_Malwarebytes-2019.jpg

Malwarebytes’ Mike LaPeters

Mike LaPeters is Malwarebytes’ vice president of worldwide MSP and channel operations. He tells Channel Futures the rise in skimming opens doors for MSPs and MSSPs.

“If service providers don’t already provide risk assessments for third-party card-processing services for their customers, they can leverage these types of trends to add additional value to their customers,” he said. “This is also an opportunity for service providers to do a deep dive on all security controls of the customers they manage. [But] card skimming is just the tip of the iceberg. MSPs and MSSPs have the opportunity to deliver additional services such as work-from-home security awareness training, secure connections (VPN, privacy) and more robust endpoint protection to name a few.”

“While many merchants remain safe despite the increased volume in processed transactions, the exposure to compromised e-commerce stores is greater than ever,” said Jerome Segura, Malwarebytes‘ director of threat intelligence. “A great number of merchants do not keep their platforms up to date and also fail to respond to security disclosures. Oftentimes, the last recourse to report a breach is to go public and hope that the media attention will bear fruit.”

Untangle, Webroot Extend Partnership

Untangle is expanding its partnership with Webroot to include a product integration between Untangle NG Firewall and Webroot Business Endpoint Protection.

The integration will bring together the two technologies under the Untangle Command Center, providing end-to-end security across any network.

Heather Paunet is Untangle’s vice president of product management. She tells us the integration makes it easier for partners to serve existing and new customers.

Paunet-Heather_Untangle.jpg

Untangle’s Heather Paunet

“Often a partner has many vendors to work with and many tools that they need to install, maintain and monitor to support their customers,” she said. “With this integration, partners will save time by knowing that two fundamental components of network security work well together, and can be accessed from one cloud-based management tool starting point.”

This integration builds out Untangle’s command center as a central platform for partners to manage multiple deployments, Paunet said.

“Partners will be able to offer customers a much more streamlined solution that includes both a unified threat management gateway solution, the firewall, and an option for the endpoint when off network,” she said. “Being able to offer an end-to end-solution with all components working well together is a lot better than offering disparate, separate solutions with no integration.”

Untangle previously partnered with Webroot to provide security services within NG Firewall.

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like